Icon Web Server Authentication

The web server ensures that unauthorized access does not occur by requiring that any access to non-static content require authentication with a valid user name and password. Please see the Web Server Security topic for more information on the default users available in the web server.

Image

The authentication process allows any client application to send an authentication request with a user name and password to the web server. If the user name and password are correct and the user is not inactive or locked out due to previously exceeding the maximum number of invalid authentication attempts, then the authentication will succeed and a new session will be created. The session ID of this new session will be sent back to the client application in a special HTTP-only cookie called EWBSessionID.

Warning This cookie is not accessible to JavaScript code in browsers, which makes it safe from session hijacking in a browser environment. However, if the connection to the web server is an insecure HTTP connection, then this cookie can be intercepted as plain text during transmission between the web server and the client application. Please see the Configuring the Web Server topic for more information on how to configure the web server to automatically redirect all requests to the insecure HTTP port to the secure HTTPS port.

Information If the current session was previously manually deauthenticated using a deauthenticate request, then any subsequent authentication request will not create a new session provided the previous session cookie was sent by the client application along with the subsequent authentication request. The only exception to this is if the session has expired since the manual deauthentication request.

The session created during authentication will remain active until there have been no requests for the session during the amount of time specified by the configured session expiration time on the web server. Please see the Configuring the Web Server for more information on setting the session expiration time.

Every time a request is made using a given session, the session expiration time is reset. In order to manually reset the session expiration time and keep a session active during periods of inactivity, the client application can execute an HTTP POST request to the following keep-alive URL:

<Origin>/keepalive

<Origin> = <Protocol>://<Domain>[:<Port>]

Information The "keepalive" resource name is the default resource name for keep-alive requests. The keep-alive resource name is configurable in the web server, so please make sure that the resource name that you are using matches the proper resource name on the target web server.
Image