AnsweredAssumed Answered

Multiple token validities?

Question asked by christopher.schaefer on Sep 13, 2018



I have a question about the token validity in Portal for ArcGIS because I can't clearly assign the explanations in the online documentation. There are two entries I found:




The first link states:


tokenExpiration: When a user logs on to the portal website, a token with an expiration time of 120 minutes (two hours) is generated. If the Stay Logged On at Logon option is selected, the time defined in this property is overwritten by the longTokenExpiration time.


and in the second link:


The default validity period is two weeks (20,160 minutes). Although this setting may be appropriate for your organization, a token with a long expiration time is less secure. For example, a token intercepted by a malicious user can be used until it expires. On the other hand, a shorter expiration time is more secure, but members will need to enter their username and password more frequently.


At which point is which token validity evaluated? I understand the first link because I can assign it to the Portal Log In page. But when will the default validity period be evaluated if I already configure the cases under the first link to "stay logged in", set or not set.


In addition, the question whether the settings set in the portal overwrite the token settings of the GIS server as soon as the server is in Hosted or Federated status? I work with WebApp Builder and can see, that tokens are requested from both, server and portal.