Webservice user sessions seem not to be deleted

Hi, In our application there are both anonymous users and single-signed on users using the SAML module. Because of security requirements I have a scheduled event which deletes all non-webservice users every 5 minutes and I configured the SAML-users to be webservice users, such that the normal login procedure will never work as there are no local users. Unfortunately, this setup backfires on me as the named user sessions seem not to be deleted. Apparently, sessions of webservice users are not ended automatically (see graph below). Has somebody tips to enable session time-outs for webservice users? Or disable the normal login-method in some other way and go back to non-webservice users?
2 answers

If your users sign on using SAML, just set a random password of length 100. If that is not enough, I have created an app where I created my own login action where I always throw an error, so no normal login can occur:


import java.util.Map;
import com.mendix.core.Core;
import com.mendix.logging.ILogNode;
import com.mendix.m2ee.api.IMxRuntimeRequest;
import com.mendix.systemwideinterfaces.core.AuthenticationRuntimeException;
import com.mendix.systemwideinterfaces.core.ISession;
import com.mendix.systemwideinterfaces.core.UserAction;

public class CustomLoginAction extends UserAction<ISession>
	private String userName;
	private String password;
	private IMxRuntimeRequest request;
	public final static String USER_NAME_PARAM = "userName";
	public final static String PASSWORD_PARAM = "password";

	public CustomLoginAction(Map<String, ? extends Object> params) {
		this.userName = (String) params.get(USER_NAME_PARAM);
		this.password = (String) params.get(PASSWORD_PARAM);
	    this.request = (IMxRuntimeRequest)params.get("request");
	public ISession executeAction() throws Exception
		ILogNode logNode = Core.getLogger("Authentication");		
		String remoteAddress = this.request.getRemoteAddr();
		String forwardedFor = this.request.getHeader("X-Forwarded-For");
		String realIP = this.request.getHeader("X-Real-IP");
		if( realIP == null )
			realIP = forwardedFor;
		if( realIP == null )
			realIP = remoteAddress;
		logNode.warn("Regular login request for user: " + userName + " (X-Real-IP: " + realIP + ", X-Forwarded-For:" + forwardedFor + ", remote address: " + remoteAddress + ").");
		throw new AuthenticationRuntimeException("Login FAILED: normal login action disabled!");



It looks like each request creates a session, but the sessions does not get closed at the end of the request.

Maybe you should file a support ticket?