DejanMilosevic
Hi,
Following the advice from LS js client docs:
The password string will be stored as a JavaScript variable. That is necessary in order to allow automatic reconnection/reauthentication for fail-over. For maximum security, avoid using an actual private password to authenticate on Lightstreamer Server; rather use a session-id originated by your web/application server, that can be checked by your Metadata Adapter.
We're not using any other web server, only LS. We've resorted to implementing special login token that is sent to the client upon receiving correct credentials (that are sent using sendMessage(), in a non authenticated session). Client can then use this token to open a new, authenticated session, by supplying it as a password on connectionDetails.
We want to make this token non reusable, but still allow for automatic reconnection in case of network problems.
How does LS behave in case of the reconnection / reauthentication mentioned in the docs above? Does it supply a new sessionId to Metadata adapter for every new retry? I.e. in our ARI Metadata adapter, can we restrict login tokens to be used only once, or we have to allow reuse of the same token as long as the sessionId is the same?
Tnx,
Dejan
Giuseppe Corti
Hi Dejan,
I confirm you that following a reconnection the sessionId is replaced and that a new sessionId is involved for each new try.
In this case, when the reconnection succeed your Metadata Adapter will receive a new authentication request (Notify User) with the user password parameter set with the old token.
Now, if you handle the token as a "one time password" your Metadatata Adapter will not authenticate the user and the reconnection will fail.
Now you could consider two alternatives:
- give up the automatic reconnection mechanism that provides the JavaScript client library, and after each disconnection restart with the procedure of sending credentials;
- provide your token a wider validity, considering the "user/token" combination validfor a certain period of time, for example a few hours or a day.
Please let us know if you need any further clarifications.
Regards,
Giusppe