Problem:
When a certain user logs in(authenticates) successfully into the Jasperserver application, and then is deleted by the superuser. The same deleted user is still able to access the application.
Solution:
This situation arises due to a session being created when the user first logs in successfully. This sessionID that contains the username and password as variables gets stored in the temp directory. This session expires once the defined time-out is reached.
Please refer to the best practices for session timeout:
1. Since the session only expires once the session timeout value has been reached it is recommended to not keep the session timeout too long.
2. The session timeout also applies to how long a session remains in memory after a web services call finishes. If another web service call with the same credentials occurs within the timeout period, the server reuses the same session.
3. If the timeout is too short then you may have performance issues caused by a high load of web service calls.
4. If the timeout is too long, a session may stay active for a long time (even indefinitely with a timeout of 0). The risk of allowing long sessions is that the in-memory session is not updated with any role changes until the user logs out manually (ending the session) and logs in again (creating a new session). (https://community.jaspersoft.com/documentation/tibco-jasperreports-server-security-guide/v790/configuring-user-session-timeout)
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now