Question

Webservice user sessions seem not to be deleted

0

Hi, In our application there are both anonymous users and single-signed on users using the SAML module. Because of security requirements I have a scheduled event which deletes all non-webservice users every 5 minutes and I configured the SAML-users to be webservice users, such that the normal login procedure will never work as there are no local users. Unfortunately, this setup backfires on me as the named user sessions seem not to be deleted. Apparently, sessions of webservice users are not ended automatically (see graph below). Has somebody tips to enable session time-outs for webservice users? Or disable the normal login-method in some other way and go back to non-webservice users?

asked 2018-09-11

Johan Flikweert - old account

2 answers

0

It looks like each request creates a session, but the sessions does not get closed at the end of the request.

Maybe you should file a support ticket?

answered 2018-09-13

Joost Verhoog

Rom van Arendonk · Accepted Answer · 2018-09-11

If your users sign on using SAML, just set a random password of length 100. If that is not enough, I have created an app where I created my own login action where I always throw an error, so no normal login can occur:

import java.util.Map;
import com.mendix.core.Core;
import com.mendix.logging.ILogNode;
import com.mendix.m2ee.api.IMxRuntimeRequest;
import com.mendix.systemwideinterfaces.core.AuthenticationRuntimeException;
import com.mendix.systemwideinterfaces.core.ISession;
import com.mendix.systemwideinterfaces.core.UserAction;

public class CustomLoginAction extends UserAction<ISession>
{
	private String userName;
	private String password;
	private IMxRuntimeRequest request;
	public final static String USER_NAME_PARAM = "userName";
	public final static String PASSWORD_PARAM = "password";

	public CustomLoginAction(Map<String, ? extends Object> params) {
		super(Core.createSystemContext());
		this.userName = (String) params.get(USER_NAME_PARAM);
		this.password = (String) params.get(PASSWORD_PARAM);
	    this.request = (IMxRuntimeRequest)params.get("request");
	}
	
	@Override
	public ISession executeAction() throws Exception
	{
		ILogNode logNode = Core.getLogger("Authentication");		
		String remoteAddress = this.request.getRemoteAddr();
		String forwardedFor = this.request.getHeader("X-Forwarded-For");
		String realIP = this.request.getHeader("X-Real-IP");
		if( realIP == null )
			realIP = forwardedFor;
		if( realIP == null )
			realIP = remoteAddress;
		logNode.warn("Regular login request for user: " + userName + " (X-Real-IP: " + realIP + ", X-Forwarded-For:" + forwardedFor + ", remote address: " + remoteAddress + ").");
		throw new AuthenticationRuntimeException("Login FAILED: normal login action disabled!");
	}
}