Results 1 to 2 of 2

Hybrid View

  1. #1

    Question Reconnection with ARI and one time auth tokens

    Hi,

    Following the advice from LS js client docs:

    The password string will be stored as a JavaScript variable. That is necessary in order to allow automatic reconnection/reauthentication for fail-over. For maximum security, avoid using an actual private password to authenticate on Lightstreamer Server; rather use a session-id originated by your web/application server, that can be checked by your Metadata Adapter.

    We're not using any other web server, only LS. We've resorted to implementing special login token that is sent to the client upon receiving correct credentials (that are sent using sendMessage(), in a non authenticated session). Client can then use this token to open a new, authenticated session, by supplying it as a password on connectionDetails.

    We want to make this token non reusable, but still allow for automatic reconnection in case of network problems.

    How does LS behave in case of the reconnection / reauthentication mentioned in the docs above? Does it supply a new sessionId to Metadata adapter for every new retry? I.e. in our ARI Metadata adapter, can we restrict login tokens to be used only once, or we have to allow reuse of the same token as long as the sessionId is the same?

    Tnx,
    Dejan

  2. #2
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    543
    Hi Dejan,

    I confirm you that following a reconnection the sessionId is replaced and that a new sessionId is involved for each new try.
    In this case, when the reconnection succeed your Metadata Adapter will receive a new authentication request (Notify User) with the user password parameter set with the old token.
    Now, if you handle the token as a "one time password" your Metadatata Adapter will not authenticate the user and the reconnection will fail.

    Now you could consider two alternatives:
    - give up the automatic reconnection mechanism that provides the JavaScript client library, and after each disconnection restart with the procedure of sending credentials;
    - provide your token a wider validity, considering the "user/token" combination validfor a certain period of time, for example a few hours or a day.

    Please let us know if you need any further clarifications.

    Regards,
    Giusppe

 

 

Similar Threads

  1. Replies: 7
    Last Post: June 14th, 2012, 09:35 AM
  2. Reconnection attempts fail
    By emiliob in forum Client APIs
    Replies: 12
    Last Post: October 14th, 2010, 08:00 AM
  3. metadata adapter with user auth example
    By k0nan in forum Adapter APIs
    Replies: 1
    Last Post: May 12th, 2010, 10:50 AM
  4. ARI protocol question
    By cbcrack in forum Adapter Protocol
    Replies: 3
    Last Post: January 7th, 2008, 10:07 AM
  5. New documentation for ARI released
    By Alessandro in forum Adapter Protocol
    Replies: 2
    Last Post: July 30th, 2007, 12:29 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT +1. The time now is 06:52 AM.