Authentication timeout value in Access groups of DEV has been set to 300, so if users belonging to those access groups remain inactive for more than 300 seconds then a pop up appears asking users to reauthenticate. This is working as expected in DEV/SIT/PAT environments, but in Prod environment when authentication timeout in access group is set to 300 no such pop up appeared when users remain inactive for 300 seconds.Any inputs on what had restricted this from happening?
So this is standard Basic Authentication. If you look at a Fiddler trace when using the application I bet you are seeing "Authorization" headers being sent with all the requests to PRPC. The browser is remembering the credentials and since it's sending them you are not seeing the basic authentication prompt.
How could we achieve the authorisation prompt?? What should be done to stop the browser from having these credentials?? we are facing this issue in Prod, we do not have access to the environment, we just have to give a solution to the client who has access to Prod.
Posted: 6 years ago
Posted: 16 May 2017 10:56 EDT
Chris Koyl (ChrisKoyl)
Senior Fellow, Technical Support, Runtime Engine
First, if you look at the screen shot you attached of the Basic Authentication prompt there is a check box to "Remember my credentials". If this is being used by the end user then with PRBasic then there is not much you can do other than changing to a more robust authentication protocol.
PRBasic is the default authentication type for PRServlet OTB. This is HTTP Basic Authentication and the prompt for credentials is standard at the browser level, not part of PRPC.
We have other types of authentication that can be used for Single Signon using LDAP, Siteminder, WebSEAL and SAML just as examples. These all use a PRPC authentication type of PRCustom and provide a much more secure authentication then HTTP Basic Authentication.