Posted by bwallis42 on
URL: https://discuss.orbeon.com/Secure-persistence-API-access-tp4659372p4659399.html

Erik Bruchez wrote

> Using the "oxf.http.forward-cookies" property doesn't seem to work for the persistence API

It seem that the persistence proxy doesn't follow that setting:

    http://goo.gl/vT6LwV

This said, headers/cookies forwarding is tricky, and probably something to be discouraged.

On a first access with an initially non-existing session, for example, we cannot forward the JSESSIONID cookie. So we try to guess the cookie value, and this doesn't work with all containers.

I know these issues well, it is something our application has to deal with and we have it working quite well including ajax calls and session timeouts using JSESSIONIDSSO rather than JSESSIONID. It is not ideal but it is all we have for the moment.

So can the FormRunnerPersistenceProxy be fixed to forward the cookies? We don't have any other option to know who is making the persistence call and it is essential that we know on who's behalf the the call is being made. I could probably find some other workaround but forwarding JSESSIONIDSSO has proved to be a reasonable solution in our case.

thanks
brian...