Credential gets unset

Segi · #1

During the login process, the login service sets certain user credentials so I can access them anywhere in any of my applications.

Code: Select all

tables.CREDENTIALS.insertRow&#40;&#41;;
tables.CREDENTIALS.ID.value="USERID";
tables.CREDENTIALS.VALUE.value=tables.USERS.USERID.value;
tables.CREDENTIALS.updateTable&#40;&#41;;

I am having an issue with the user ID credential variable seemingly getting unset in a short period of time. In fact shorter than the session timeout period that I set in web.xml (90 minutes).

Whenever a user wants to access one of my applications, the Before Page event calls a globally shared function that verifies whether the user has permission to access that specific application. I have added a check in this function to make sure that UserID credential is set and that the user is logged on. If either condition is true (user id is not set or the user is not logged in, an error message is displayed and the user has to log on again.

Code: Select all

if &#40;isNaN&#40;parseInt&#40;system.securityManager.getCredential&#40;"USERID"&#41;&#41;&#41; == true || system.securityManager.isUserLoggedOn&#40;&#41; == false&#41; &#123;
          // Add log to record entry that the user ID is not set
          // In order to help me debug why this the username credential is getting unset &#40;It shouldn't be!&#41;, I use an if to adda different log message to 
          // help me differentiate what caused this if statement to evaulate to true
          if &#40;isNaN&#40;parseInt&#40;system.securityManager.getCredential&#40;"USERID"&#41;&#41;&#41; == true&#41; &#123;
               addIntranetLog&#40;null,&#40;system.securityManager.getCredential&#40;"REALNAME"&#41; != null ? system.securityManager.getCredential&#40;"REALNAME"&#41; &#58; null&#41;,"The User ID is not set in verifyUserSession&#40;&#41;","SESSION TIMEOUT",&#40;system.variables.$BROWSER_IP_ADDRESS.value != null ? system.variables.$BROWSER_IP_ADDRESS.value &#58; null&#41;&#41;;
          &#125; else &#123;
               addIntranetLog&#40;null,&#40;system.securityManager.getCredential&#40;"REALNAME"&#41; != null ? system.securityManager.getCredential&#40;"REALNAME"&#41; &#58; null&#41;,"The user is not logged in coming from verifyUserSession&#40;&#41;","SESSION TIMEOUT",&#40;system.variables.$BROWSER_IP_ADDRESS.value != null ? system.variables.$BROWSER_IP_ADDRESS.value &#58; null&#41;&#41;;
          &#125;
          
          // Because form.abort is called below, I have to make this call to force the transaction to be committed. Otherwise, form.abort will roll back the transaction
          system.transactionManager.commitAndRestartTransaction&#40;&#41;;
          
          try &#123;
               form.abort&#40;&#40;system.securityManager.getCredential&#40;"REALNAME"&#41; != null ? "Sorry " + system.securityManager.getCredential&#40;"REALNAME"&#41; + " but your" &#58; "Your"&#41; + " Intranet session has timed out and you will be logged out now."&#41;;	
          &#125; finally &#123;
               system.securityManager.logoff&#40;&#41;;
          &#125;
     &#125;

I added this if logic today

Code: Select all

if &#40;isNaN&#40;parseInt&#40;system.securityManager.getCredential&#40;"USERID"&#41;&#41;&#41; == true&#41; &#123;

to write different log messages depending on whether the if condition evaluated to true because the user ID is not set or whether the user is logged out and I am only seeing the message "The User ID is not set in verifyUserSession()". How could this variable get unset so quickly ? I know that I don't unset it and I am not aware of a way to unset credentials even if I wanted to but since isNaN(parseInt(system.securityManager.getCredential("USERID"))) == true is evaluating to true, I end up with no choice but to terminate the users' session forcing them to log in again. Any thoughts would be helpful

#2

Your logic seems very complicated to me. If the user is still logged on i.e. they haven't timed out, then the credentials will still exist - I would be amazed if this was not true. If you just want to check if the user is logged on, you can use:

Code: Select all

if &#40;system.securityManager.isUserLoggedOn&#40;&#41;&#41; &#123;
..
&#125;

You don't need to add the "== true" on the end.

I don't see how adding a credential containing the userid helps in any way.

Segi · #3

Jon,

I suspect but am not sure that the users' session has timed out when this evaluates to true. If that is the case then the real issue is that the users' session is timing out sooner than it should be

#4

If the user session times out, you won't be able to run a script in the "old" session. The user would see the timeout page.

Segi · #5

Jon,

As I said, what I think might be happening is that a user has a form open but their session has already timed out because they were away from the computer/browser. So when the user clicks on a link on the expired form, the before page event of the new form calls verifyUserSession() which detects that the credential user id is not set. I think that the real issue is that the session is timing out too quick which is causing this behavior. The fact that the credential is not set is probably a side effect of this

#6

Segi,

I understand your point. My experience is that sessions may timeout 1 or 2 minutes either side of the specified amount but not more than this. If you want to check, you can activate logging of session information by adding the following to the Ebase server startup:

-DsessionDebug=true

Jon

Segi · #7

Jon,

Thanks

i'll add this to my startup variables

Segi

Community Forum

Credential gets unset

Credential gets unset

Who is online