Session Management Issues Using API
We are having an issue where only one user can have a session at a time. (Issue at a very high level)
We have a customer-facing portal that uses Bonita login endpoint for authentication and returns the Bonita cookie back to the users browser. This then establishes an active session between the React.js application and Bonita allowing subsequent API calls to Bonita's API stack to utilize the established session.
This has worked for over a year this way.
The only change we have made recently is to separate the Postgres database to its own host. We are running Bonita Community 7.8.4. There is a transparent proxy between the web server and Bonita.
The process in detail is as follows... User A logs into the web portal and gets a valid session. The user uses the portal making API calls to Bonita for any period that the session is active (example 0-30 minutes) At any point in that time frame User B logs into the portal. Upon successfully authenticating and generating a session all other sessions are terminated. Tomcat shows sessions are still active, so in the example defined it would show 2 active sessions.
HOWEVER!!! If someone is logged into the Bonita portal they are left unaffected by this scenario, just all users using the API endpoints through the application. We thought it was the application so we tested with just making cURL calls from different terminals as different users and in Postman and receive the same results.
I don't understand exactly how Bonitta session management is happening because of this and anyone with insight or has faced this before can help we would appreciate it. Again, no exceptions are thrown and there is nothing in the logs revealing that sessions are being terminated.