permanentSession

The "permanentSession" property is an optional boolean that indicates if a session is permanent. It defaults to false.

Important Before you can create permanent sessions, you must add "enablePermanentJsonApiSessions": true to the "jsonActionApiDefaults" section of the <faircom>/config/services.json file.

If "permanentSession" is set to true when "createSession" is called, the server sets the authtoken as permanent. The authtoken is associated with the settings and authorizations of the user who created the session. It is always valid even after the server restarts. A permanent authToken works like an API Key and authenticates an application without the need for a username/password or a client certificate. Multiple applications can use the same permanent authToken.

Warning A permanent "authToken" is potentially less secure than a temporary one.

  • A permanent "authToken" never becomes invalid, which makes it easier for an attacker to find it using brute force.
  • A permanent "authToken" is persisted by an application, which increases the opportunity for an attacker to find it.
  • A permanent "authToken" allows each application server to share the same session, which potentially allows an attacker to change session settings for all application servers.
  • When you set the "permanentSession" property to true in "createSession", it creates a permanent session and returns a permanent "authToken".
  • Developers and applications can use a permanent authToken in JSON actions without needing to call createSession to get a temporary authToken.
  • You must protect a permanent "authToken" as you would a password or API key because it represents a permanently authenticated server session.
  • A permanent session does not expire. You can also prevent a temporary session from expiring by setting its "idleConnectionTimeoutSeconds" property to 0.
  • A permanent "authToken" uses the authorization and settings of the account that originally created the session. All actions performed in the session are performed using that account's authorizations, and account settings, such as its default database and owner.
  • You can use "alterSession" to modify the settings of a permanent session, but you cannot use it to turn a temporary session into a permanent session.
  • If multiple application servers use the same permanent "authToken", they share the same permanent session settings. Consider the following:
    • If one application server uses "alterSession" to change a permanent session's settings, the other application servers automatically use the new settings. To avoid confusion and errors, applications must specify all JSON action property values and not rely on session defaults.
    • You cannot use different sessions to determine which app server executes an action. This makes troubleshooting more difficult.
    • An application must create and use a transaction to protect the visibility and integrity of multiple operations from other applications. This is true for permanent and temporary sessions.
  • The FairCom server securely stores each permanent "authToken" in the encrypted faircom.fcs file.

Was this article helpful?

Give feedback about this article

Related Articles