+ Start a Discussion
devNut!devNut! 

Session and Tab based Flex application ................................................ anyone?

Hello,
Is the following behaviour expected?

1) User clicks a custom tab to load a custom flex application
2) The Flex application accepts the user's session and connects to apex web services to perform data read/create/update operations
3) User shift+clicks on the Salesforce "Logout" link (top right corner)
4) A new window is displayed telling the user he/she has been logged out

At this point if the user clicks on any salesforce tab, he/she will be re-directed to the login screen, with the following message displayed: " You have attempted to access a page that requires a Salesforce login. If you are already a user of the system, please login below."

However after clicking logout, if the user goes back to the main window he/she can continue to use our flex application.  Meaning the user can still perform create/update/read operations against salesforce web services.

Should the session used by the flex application be invalidated after the user clicks the salesforce "logout" link?

Thanks in advance.



Message Edited by devNut! on 06-10-2008 08:12 AM

Message Edited by devNut! on 06-11-2008 05:14 AM
devNut!devNut!
Can an Admin provide any comments/feedback on this issue ?
werewolfwerewolf
This is happening because the sessionId cookie still exists.  Manually logging out clears the cookie, but the auto logout does not, you (or Flex) can technically still use that session until it actually expires, which may be some matter of minutes after that auto logout message appears.

(this may not be the case forever by the way -- Salesforce may at some point change its logout policy such that the session becomes explicitly invalid when it's auto logged out, or that the cookie actually clears, or both).

If you want your Flex application to try to match the web app's expiry, you can do a periodic quickie API call (GetTimestamp would be a good choice), maybe every 15 minutes after 15 minutes of inactivity, and if you get a session expired error then clear out your session in Flex and unload your app or something to that effect.


Message Edited by werewolf on 06-11-2008 11:30 AM
devNut!devNut!
Hey werewolf,
thanks very much for the reply.

In my scenario the user is performing the logout - but by shift clicking on the top right logout link. 

If a user does this, the salesforce session in the browser is invalidated, but I also expect that the session used by the flex application to be invalidated.  

It seems that the session used by the flex app is still active/valid.
werewolfwerewolf
Well in that case the user is explicitly clearing the cookie but your session in Flex is still active, so the session ID lives.  You can perform a simple check in your flex app (every minute even, on a timer) that makes sure a sid cookie still exists, and if it does not then kill your Flex session.
devNut!devNut!
Yeah could do that...


But what I'd like to know is why this happens..  I would assume that the browser and the flex app share the same session and so they should both be invalidated at this point.



werewolfwerewolf
Well the browser doesn't really have a session per se.  A Salesforce session is stateless -- the continuity of the session is preserved only by the fact that this sid (or session ID) cookie keeps getting passed along with each transaction.

When you start that session in Flex, you are grabbing that sid cookie and keeping it somewhere else in Flex's memory -- it's presumably not going and looking up the browser cookie with every transaction.  Flex has got its own set of cookies for that purpose.  When you kill the browser session, you're just destroying that cookie, but since Flex maintains its own reference to sid then the session doesn't die until the last session ID is gone (or until it legitimately expires as it will over time).
devNut!devNut!
Makes sense - thanks.

I still expected that shift clicking on the logout link would invalidate the session on the server side.  So any other requests with the same session id would be invalid.   i.e. session.invalidate()
Chirag MehtaChirag Mehta

Hey Werewolf - how do you kill salesforce session in flex? I got requirement where I need to query from org and re-login to another org to insert that data. However, as my first session is not yet destroyed so I get error.