Web API call creating sessions

RE: Web API call creating sessions

PhilB — Fri, 14 Jul 2017 13:22:30 GMT

To call a Web API requires a session, but it seems to me the issue here is that the session that's created persists for some time after the call is made, so sambhavj is looking for a way to kill that session once the call has been made.

RE: Web API call creating sessions

Shyam Bommakanti — Fri, 14 Jul 2017 12:47:02 GMT

Per Mike Webapi always has session.
An alternate is to have stateless custom servlet plugin, documentation:
docs.appian.com/.../Custom_Servlet_Plug-ins.html

RE: Web API call creating sessions

PhilB — Fri, 14 Jul 2017 10:40:59 GMT

I posted this on another thread where you've asked the same question, but if you're looking to kill the session you've established, would a call to https://<site url>/suite/logout do it?

That said, Stefan Helzle is right - this all sounds like a bad idea.

RE: Web API call creating sessions

Stefan Helzle — Fri, 14 Jul 2017 09:21:51 GMT

Just a small security question. Does this mean you store unencrypted credentials in the users browser? Doing a direct call from the browser would require that. Am I wrong? If this is the case I strongly suggest to not do that.

RE: Web API call creating sessions

gayatriv55 — Fri, 14 Jul 2017 07:34:13 GMT

One thing you can do, is clearing cache and cookies on every click of the service call once you will receive the output. Don't know it is feasible or not!

RE: Web API call creating sessions

sambhavj — Fri, 14 Jul 2017 07:34:05 GMT

SO there is no work around to it , limiting the session scope or making services stateless?

RE: Web API call creating sessions

gayatriv55 — Fri, 14 Jul 2017 07:32:52 GMT

Yes that is the expected behavior of Appian I think. Becasue we are also facing same thing. Logically to call Appian service you are logging into Appain virtually, so if you will open Appian it will login directly with the service account.

RE: Web API call creating sessions

sambhavj — Fri, 14 Jul 2017 07:11:41 GMT

Yes the problem we are facing is there is an Appian web service call in the Html page , before the point we redirect to appian , so while calling that web service it is creating a service user session , and when we redirect it logins to service user account , without doing SSO

RE: Web API call creating sessions

gayatriv55 — Fri, 14 Jul 2017 07:04:53 GMT

@sambhavj, Didn't understand your comment above exactly. SSO implementation bypass the Appain login page. which means you will be directly login into the Appian via SSO with the Appian account which you are using for SSO.

RE: Web API call creating sessions

sambhavj — Fri, 14 Jul 2017 06:59:35 GMT

We tried removing the cookie using JavaScript but that doesn't work

RE: Web API call creating sessions

sambhavj — Fri, 14 Jul 2017 06:58:59 GMT

We are redirecting through SSO , but when there is a session for the service user it bypasses the SSO

RE: Web API call creating sessions

gayatriv55 — Thu, 13 Jul 2017 15:49:57 GMT

Can you please explain how you are redirecting to Appian? like SSO/Embedded Sail?

RE: Web API call creating sessions

gayatriv55 — Thu, 13 Jul 2017 15:47:16 GMT

Ideally Web API should not create any session for Appian.

RE: Web API call creating sessions

Mike Cichy — Thu, 13 Jul 2017 14:42:55 GMT

There is no way to avoid creating a session.
Why not remove the session cookie for the redirect?