Following the advice from LS js client docs:

The password string will be stored as a JavaScript variable. That is necessary in order to allow automatic reconnection/reauthentication for fail-over. For maximum security, avoid using an actual private password to authenticate on Lightstreamer Server; rather use a session-id originated by your web/application server, that can be checked by your Metadata Adapter.

We're not using any other web server, only LS. We've resorted to implementing special login token that is sent to the client upon receiving correct credentials (that are sent using sendMessage(), in a non authenticated session). Client can then use this token to open a new, authenticated session, by supplying it as a password on connectionDetails.

We want to make this token non reusable, but still allow for automatic reconnection in case of network problems.

How does LS behave in case of the reconnection / reauthentication mentioned in the docs above? Does it supply a new sessionId to Metadata adapter for every new retry? I.e. in our ARI Metadata adapter, can we restrict login tokens to be used only once, or we have to allow reuse of the same token as long as the sessionId is the same?