Ticket-based authentication

Ticket-based authentication is based on time-limited tickets that enable users to connect to Helix server. Helix server creates a ticket for a user when they log in using the p4 login -a command. Helix server applications store tickets in the file specified by the P4TICKETS environment variable. If this variable is not set, tickets are stored in %USERPROFILE%\p4tickets.txt on Windows, and in $HOME/.p4tickets on UNIX and other operating systems.

By default, tickets have a finite lifespan, after which they cease to be valid. By default, tickets are valid for 12 hours (43200 seconds). To set different ticket lifespans for groups of users, edit the Timeout: field in the p4 group form for each group. The timeout value for a user in multiple groups is the largest timeout value (including unlimited, but ignoring unset) for all groups of which a user is a member. To create a ticket that does not expire, set the Timeout: field to unlimited.

Although tickets are not passwords, a Helix server accepts valid tickets wherever users can specify Helix server passwords (except when logging in with the p4 login command). This behavior provides the security advantages of ticket-based authentication with the ease of scripting afforded by password authentication. Ticket-based authentication is supported at all server security levels, and is required at security level 3 and 4.

A ticket expires:

  • If the user's AuthMethod is changed
  • If the user's password is changed and the user is using AuthMethod of perforce.
  • When the ticket's password expires. This assumes that password aging is in effect.