5 Replies Latest reply on Mar 16, 2016 3:17 AM by Toto RoToTO

    How to handle login sessions across the extensions?

    dnyaneshlb Level 1

      Hi,

       

      I am new to extension development and using Illustrator 19.2, mac yosmenite 10.1, brackets, tomcat, jquery-2.0.2 for development. I have created 4 extensions which needs server login for authorization.

      Problem here is that, even though all 4 extensions communicate with same server, I am forced to login seperately in all 4 extensions.

      Isn't it possible like browser, that I can login with just one extension and rest 3 extensions will understand it.

       

      However I have tried following -

      • Once I login with 1 extension, I retrieved the cookie with "JSESSIONID", and set this cookie as header for every new request.

                Limitation : Modern browsers will not allow this since its a session hijacking and major security breach.

       

      Thanks in Advance.

       

      Let me know if you need more info.

        • 1. Re: How to handle login sessions across the extensions?
          bvanstal

          Hi,

           

          We are running into the same issue. Have you found a solution already? or a workaround maybe?
          Anybody else?

           

          thanks!

          • 2. Re: How to handle login sessions across the extensions?
            Toto RoToTO Level 3

            Hi,

             

            We had the same requirement. Several extensions sharing the same session ID.

            We did solve this using a c++ plugin.

             

            The first extension loaded retrieve the session ID.

            Then, the session ID is sent to our c++ plugin, which is in charge of storing it.

            After, during that session, if a new extension is loaded, the session ID is sent to that extension.

            So the user won't have to go through the connection process.

             

            we are using csxs events, controllers, and more.

            But it is not so complicated.

             

            Thomas.

            • 3. Re: How to handle login sessions across the extensions?
              dnyaneshlb Level 1

              You nailed it Toto RoToTO

              The approach I used was on a similar line.

               

              Here is how I made it work.

              1. When user launch extension and logs in using it, c++ plugin saves the JSESSIONID it has got from server.

              2. The subsequent request-response will work smoothly for the same extension.

              3. When user launch second extension, I am passing dummy request having saved JSESSIONID to server using web service call.

                 At server side,

              String sid=req.getHeader("SESSION_ID");
                      String contextPath = req.getContextPath() + "/";
                      String cookieHeader = sid + ";Path=" +  contextPath; //sid+";Path=/enovia/
                      System.out.println("SESSION ID passed from client is " + sid);
                     
                      resp=Response.ok("request reset succeeded")
                              .header("Access-Control-Allow-Origin","*")
                              .header("Access-Control-Allow-Headers","accept,"+"SESSION_ID")
                              .header("Access-Control-Allow-Credentials","true")
                              .header("Set-Cookie", cookieHeader)
                              .build();
              

               

              4.

              .header("Set-Cookie", cookieHeader) 
              

              Above statement is doing all the magic.

               

              5. Once Set-Cookie parameter is set by server, all subsequent request from second extension will served without logging in again.

               

              Hope you get it.

              • 4. Re: How to handle login sessions across the extensions?
                bvanstal Level 1

                Thanks for your answers!

                We will certainly try to use this approach.

                Keep you posted

                 

                thanks again!