The culprit is sec_get_user_auth_token
used in (ad_user_login
and) sec_login_handler
which is used in sec_handler
. Security can be such a nuisance!
Is it possible to have client track the value of: sec_get_user_auth_token user_id
?
If auth_token changes, a new login is expected. Maybe the client could interrupt the session for re-login. Or if client already has info, handle re-login via util::http::cookie_auth
.
I've managed to avoid js managed sessions, but have some sense of this via ecommerce which has its own sessions, so this strategy may not work for you.