1

I have an XSJS page served by HANA. When I try to access it from a browser, I need to go through a basic authentication mechanism which is fine.

So far so good. But how can I configure HANA XSEngine so that it times out my web session after I have left it unused for a long time? I have configured xsengine -> httpserver -> sessiontimeout parameter to 30 (I told it is in seconds) but that does not help. So long as the browser remains open, the session remains live.

One trick I have is to close the browser. Another trick is to delete active login sessions in the browser history. Both force me to re-login, very nice. But these are so lame because they rely on a user action. I am sure SAP HANA is wiser than that.

I will greatly appreciate your help. Is there a different parameter to set? I am on SP07. I run xsengine as a separate process.

Thanks a lot.

Dinesh
  • 4,437
  • 5
  • 40
  • 77

1 Answers1

3

Firstly, You shouldn't be using Basic Auth at all. Here are some resources regarding that.

You should look at using the other methods of login. I assume you are trying to authenticate yourself as a HANA user. For this, you can use the super simple Form based authentication. To use this, you just have to include the following in your .xsaccess file at the root of the package:

{
    "authentication":[
        {
            "method":"Form"
        }
    ]
}

This would route you to a Login page that comes with HANA where you can login. Post successful login, it will redirect you back to your application.

So the flow would be something like this:

  • You visit /some/app/index.html for which you need to be authenticated by HANA.
  • You are redirected to /sap/hana/xs/formLogin/login.html where you will login as a HANA user
  • You are redirected back to /some/app/index.html now authenticated as the user you logged in as.

When you use something like this, a proper session is maintained. At this point in time, your setting of xsengine > httpserver > sessiontimeout will work.

You can find a lot more information about this in this section SAP Hana Developer Guide.

Hope this helps. Please avoid using basic authentication.

Community
  • 1
  • 1
Shrayas
  • 6,784
  • 11
  • 37
  • 54
  • Thanks Shrayas. Good point re form. Yes we first used form-based and then reduced level, hoping to find a clue. If I enter an xsjs url in the browser addr bar, it forces a re-login after N seconds. However if I have a webapp which was loaded with a login, and the app makes an ajax call - to the very same xsjs url - then there is no call to re-login. Since mine is an SPA, I am stuck. Any hints? – Dinesh Jul 11 '14 at 17:29
  • It is unbelievable to me that it is not possible to set http session timeout for each xs application. How can be possible?! – dtosato Jun 23 '17 at 16:02