Persistent Sessions

Web Reverse Proxy can now be configured to remember the username, which is used in a login form, and can also be configured to persist authenticated sessions across browser restarts

Remembering the Username

It is possible to remember the username which was provided in the login form so that this field can be automatically populated on subsequent logins. In order to enable this capability:

1. The [remember-me] remember-username-cookie-name configuration entry must be set to the name of the cookie which will hold the name of the user. The cookie which is returned to the browser will be a persistent cookie.
2. The ‘remember-username’ form field must be included in the login request. If this field is not included in the login request any existing remember-username cookie will be cleared.

The default login.html file contains an additional form field for remembering the username, along with JavaScript which can be used to automatically select the field if the cookie is already available in the browser. This field and JavaScript are commented out by default and should be uncommented if the capability to remember the username is enabled. The name of the cookie which is referenced in the JavaScript must match the name of the cookie which is configured in the ‘[remember-me] remember-username-cookie-name’ configuration entry.

Remembering the Sessions

A session can be persisted so that a user is not required to authenticate each time they access a site. The information required to recreate the session can be embedded within a protected token, which can then be passed back to the client in either a HTTP header or a persistent cookie. When the token is presented to the Web reverse proxy on a subsequent request it will validate the token and then re-establish the user session using the information contained within the token. The token will consist of attributes from the user credential, as defined by the ‘[remember-me] remember-session-attribute-rule’ configuration entry, along with additional literal values, as defined by the ‘[remember-me] remember-session-attribute-literal’ configuration entry.

In order to enable this capability:

1. The [remember-me] remember-session-field configuration entry must be set to the name of the field which will hold the session token.
2. The [remember-me] remember-session-key-label configuration entry must be set to the name of the key which will be used to protect the token.
3. The ‘remember-session’ form field must be included in the login request.

The default login.html file contains an additional form field for remembering the session. This field is commented out by default and should be uncommented if the capability to remember the session is enabled.

Web Storage

Web storage, sometimes known as DOM storage, provides web applications with the ability to store client-side data. Web storage is an alternative to cookies and provides increased security and performance as the data is not transmitted to the client on every request. It is possible to store the session token which is produced by the Web reverse proxy in Web Storage using JavaScript. Sample JavaScript has been embedded within the default login.html, logout.html and login_success.html management files to demonstrate how the session token can be stored in Web Storage.

In order to enable the storage of the session token in Web Storage:

1. The remember session functionality must be enabled and the session token must be configured to be passed back in a HTTP header. This can be achieved by setting the ‘[remember-me] remember-session-field’ to something like ‘hdr:verify-access-persistent-session’;
2. The login.html, logout.html, and login_success.html management files must be checked to ensure that the request header specified in the JavaScript matches the configured header;
3. The login_response_type POST data must be set to success_page when you are submitting to /pkmslogin.form. The default login.html file contains this additional form field, but it has been commented out by default.