0

I have a project has two parts: Web Service(WS) and Web Client Application(CA). User creates session on CA and it has a timeout. There is not any session created on WS side. So any user can enter the system from CA, then make lots of interaction without changing page(used AJAX), as a result CA do not count any interactions but assumes this time is idle time. Finally CA session is killed, but interaction can continiue until the page is changed. In second scenario, if browser remembers last session of itself, my application page can be seen without any session control, thus anyone can make interaction with WS without permission from CA.

The questions are these: How do I keep alive CA session with WS interactions and if CA session is killed, how do I prevent interaction with WS?

a.akkus
  • 73
  • 1
  • 11
  • 1
    Why need a session on service side ? Services/APIs be stateless and be protected by authentication. Only logged in (authenticated) users from client app should be able to create an access token to the service and get a response. Service should just see if the access token is valid. See Spring Security, for examples – TechFree Dec 17 '19 at 06:20
  • @TechFree I didn't use Spring Security for security purposes, but JWT seems promising, if I can integrate. – a.akkus Dec 17 '19 at 07:57

0 Answers0