Is there a session manager in XWiki to invalidate every sessions of a user?

Cracky5457 · June 9, 2022, 1:40pm

Hello, me again

I would like to have some information about session management in xwiki, first is XWiki based on a specific frameworks ? Struts maybe ? Native JEE ?

What I want is to be able to force logout a user (logged in her browser with a local xwiki session) from an XWikiAdmin endpoint

let’s imagine POST /rest/users/{username}/logout only usable by XWikiAdminGroup and I want to kill every session of the user from there. But I don’t have access to theses session, I just have eventually an XWikiUser object from the username, and the requester is not in the session of the user that we want to invalidate.

I found that in Spring for exemple there is a SessionRegistry to be able to found all stored session

https://docs.spring.io/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/core/session/SessionRegistry.html

Do we have same kind of mechamism somewhere in the XWiki stack ? Or do you think about any way of achieving what I want.

If you want more info about what I am trying to do I opened a thread on stackoverflow

So I’m looking for every kind a solution, checking with you from XWiki if XWiki provide some solution for that is a step.

So if you have any info, not even a solution it will be great for me, or if you think it’s not possible using xwiki

Thanks !!!

vmassol · June 9, 2022, 2:37pm

XWiki is webapp, thus using the Servlet spec. This means that it’s using session management defined by the Servlet spec. By default sessions are 30mn long and this can be configured in web.xml. See also https://www.baeldung.com/servlet-session-timeout

MichaelHamann · June 9, 2022, 2:40pm

With the standard authentication mechanism in XWiki, it is unfortunately not possible to force a logout of a user without changing the user’s password even if you invalidated all sessions. This is because the authentication cookies store an encrypted version of the user’s password which will log-in the user even if the session has expired. It is possible that what you’re trying to achieve is possible when using an external SSO authentication mechanism.

Cracky5457 · August 18, 2022, 2:25pm

Thanks for answering I forgot to answer myself !

I have a POC that is workish but indeed it’s a complex topic but thanks for you enlightening answer