|
Token
A web token is used when the user has successfully logged into Panopticon Visualization Server when using one of the following authentication types: BASIC, SAML, or WINDOWS. The token is used to identify the user and represent the user’s ongoing session. This is done to prevent user credentials being sent between the user and server more than necessary.
The token is returned from Panopticon Real Time in the form of a cookie when the user has been authenticated. By default (false), the cookie will be stored in the browser as https cookie and is accessible to the JavaScript.
The token can be configured differently to suit your needs and requirement. The token can be configured to be valid at a certain amount of time, if it can refresh itself, if it should be persistent or if it should only last for a user session (while the browser is still open), and/or it can be stored as a HttpOnly cookie. All this can be configured in the Panopticon.properties. The table below lists all available token properties.
|
Property |
Description |
Default Value |
|
authentication.token.persistence |
This property is used to determine if the token should persist if the browser is closed or if it should only last while the browser is open. There are two possible values: PERSISTENT and SESSION. PERSISTENT will persist the token in the browser even if the browser has been closed and reopened. SESSION will remove the token from the browser if it is shutdown. IMPORTANT: After modifying the property value to SESSION, ensure to clear the AppData/Token folder before starting the server. |
PERSISTENT |
|
authentication.token.refreshable |
This property determines if the token can refresh itself. The Web client can identify if the token is about to expire and then request a new token with the existing token. A token is refreshable if the property is set to true. The token will expire and invalidate the user session if the property is set to false. |
true |
|
authentication.token.secret |
The secret is used to sign the token. The secret will be auto-generated when the server starts for the first time. NOTE: This value should be kept a secret. |
Auto-generated |
|
authentication.token.validity.seconds |
The number of seconds that the token should be valid. |
604800 |
|
authentication.token.cookie |
The name of the cookie used to store the authentication cookie. Must be unique for each server instance on the host. |
ptoken |
|
authentication.token.cookie.httponly |
This property determines how the browser will treat the cookie. If set to true, the cookie will be stored in the browser as a HttpOnly cookie and will not be available to the JavaScript. If set to false (default), the cookie will be stored in the browser as https and will be accessible to the JavaScript. |
false |
|
authentication.token.cookie.secure |
This property determines how the browser will treat the cookie depending on the security of the connection. If set to true, when the browser receives a secure cookie (HttpOnly cookie), you will not be able to transmit it unless the connection is secure. |
false |
|
authentication.token.in.login.response.body |
This property determines if the REST login response body should contain a token info. NOTE: Does not affect the SOAP login response body. |
false |