Home/ Questions/Q 8652751
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T14:22:51+00:00

What I am doing is I set both alfresco and share to session time

  • 0

What I am doing is I set both alfresco and share to session time out time 60 minutes in their web.xml file.

My scenario is

  1. When I want to start a workflow in Start Workflow page, I fill all
    necessary data but do not click “Start Workflow” button.
  2. After session time out, I click this “Start Workflow” button.
  3. At the first time, authentication box opens and request for username
    and password.
  4. I filled user name and password of another user.
  5. It starts a workflow with the authenticated another user.
  6. Other times for session timeout, it does not request authentication
    box, but acts for previously requested authenticated user.

So I think Why does it happen??? Is it because of cookie??

Currently there are four cookies used, namely alfLogin, alfUsername2, JSSESSIONID, _alfTest. Only when user is logged out, alfUsername2 cookie is deleted and others are remained.alfLogin and alfUsername2 cookies’ expire time is 7 days and other cookie are depends on session.

Can alfresco web script still be used after session timeout? If so, how can I avoid this condition?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Although I have to answer my own question, I just want to share my result. I have to trace much. But answer is so simple.

    Firstly, it is not because of cookie.

    This answer is not only just for clicking “Start Workflow” button but also calling alfresco webscript after session time out in share.

    All calling to alfresco webscript is done by EndPointProxyController specifically org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController in spring-webscripts-1.0.0-sources.jar.

    In handleRequestInternal method if there is no session and basicHttpAuthChallenge is true, basic authentication box is shown as below.

                else if (this.basicHttpAuthChallenge || descriptor.getBasicAuth())
            {
                // check for HTTP authorisation request (i.e. RSS feeds, direct links etc.)
                String authorization = req.getHeader("Authorization");
                if (authorization == null || authorization.length() == 0)
                {
                    res.setStatus(HttpServletResponse.SC_UNAUTHORIZED,
                            "No USER_ID found in session and requested endpoint requires authentication.");
                    res.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco\"");

                    // no further processing as authentication is required but not provided
                    // the browser will now prompt the user for appropriate credentials
                    return null;
                }
                else
                {
// other coding
                }

    We can avoid this condition as

    in endpointController of slingshot-application-context.xml, change
    basicHttpAuthChallenge to false.

    Like 

       <!-- Override EndPointProxyController to enable Basic HTTP auth challenge on 401 response -->
   <bean id="endpointController" class="org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController">
      <property name="cacheSeconds" value="-1" />
      <property name="useExpiresHeader"><value>true</value></property>
      <property name="useCacheControlHeader"><value>true</value></property>
      <property name="configService" ref="web.config" />
      <property name="connectorService" ref="connector.service" />
      <property name="supportedMethods"><null/></property>
      <property name="basicHttpAuthChallenge"><value>false</value></property>
   </bean>
    • 0