Multiple sessions created for API user in exposed REST service despite Multiple sessions per user turned off

0
Hi all, I’ve noticed something that feels a bit counterintuitive and wanted to check if this is expected behaviour. When using an API user with custom authentication for an exposed REST service, I see that multiple sessions are being created for simultaneous calls, even though the Runtime setting “Multiple sessions per user” is turned off. In my understanding, with this setting turned off, Mendix should limit a user to a single session. Yet, with the API user, I still observe multiple sessions being spun up in parallel. This behaviour works fine for my use case, but I’d like to know: Is this the expected behaviour for API users with custom authentication or could this be considered a deviation from the way “Multiple sessions per user” is meant to function? Thanks in advance!
asked
1 answers
0

Good question, and I do not have THE answer.

 

However, having an API exposed and not having multiple sessions for an API user could result in issues when the integration is consumed multiple times at the same time, using the same API user. In case where each API call requires an unique API user, this wouldn't an issue. Though I see multiple sessions for a single API user as more common. As in most cases it is used per app  and not per user of an app.

 

TLDR: an API-user is functionally not the same as a normal app user.

 

If there would be a case where a single session per API user should be enforced, Start the microflow with retrieving the API user sessions. if 1, continue, if 2 end microflow and change response to a 401 not authorized or something like this

answered