AnsweredAssumed Answered

Portal OAuth Session Management

Question asked by yauben on Sep 20, 2016

When a user clicks Firefox browser "Back" button from a Portal page, say https://[host]/arcgis/home/webmap/viewer.html?useExisting=1, the token in esri_auth cookie get renewed.   Is this a known bug or an intended feature for 10.3.1?

The esri_auth cookie is set to expired per session.  Among the variables in the esri_auth, only token is encoded with a secret.  Per OAuth2 standard, the token is OAuth session token. Given under normal user usage, including the "back" button or other like actions, the session token is lost and then renewed.  During a user session, there are many session tokens instead of one.

My requirement is to able to audit the activities in detail of a user during a session.  I assumed the token in esri_auth is the OAuth session token for a user session so that I can correlate audit logs for a user using the token.

Outcomes