So I’m going to discuss about configuring the authenticated session in WSO2 IS 5.1.0. The authenticated session means the session created for the end user, who authenticates for a Service Provider application via some authentication protocol (SAML, OpenID, OpenIDConnect, etc .). This is different from the management console login session.
In WSO2 IS, this authenticated session for a user is maintained with a cookie called ‘commonAuthId’. When a user authenticates, a session is created for that user and that session is cached. That session’s identifier is set in the commonAuthId cookie.
I have previously blogged about, how authenticated session is maintained in WSO2 IS 500 here.
In IS 510 it’s moreover the same, but more configurable and simpler :).
In IS 500, we could not configure the session idle timeout, since cache timeout was not configurable. So it sticked to the default cache timeout period which was 15 minutes. But of course, we could increase it with remember me option and session data persistence.
The best thing in IS 510 is it’s configurable. Further, we can simply configure the ‘session idle timeout’ and the ‘remember me period’ from management console. Not only that, management console configuration applies only for the logged in tenant, which means it’s configurable per tenant.
There’s a global configuration for the ‘session idle timeout’ and the ‘remember me period’ in identity.xml (IS_HOME/repository/conf/identity/identity.xml)
<TimeConfig>
<SessionIdleTimeout>15</SessionIdleTimeout>
<RememberMeTimeout>20160</RememberMeTimeout>
</TimeConfig>
This configuration is in minutes. So the default session idle timeout is 15 minutes, and the remember me timeout is two weeks. If you want to change the configuration globally, you can change it from here. So that will apply for the tenants you create, as the default configuration.
However, this configuration is overridable from the management console.
- Goto Home > Identity > Identity Providers and click List
- Then Click ‘Resident Identity Provider’
- There under ‘Resident Realm Configuration’ you can configure for session idle timeout by changing the value of ‘Idle Session Time Out’ and configure remember me period by changing the value of ‘Remember Me Period’.
- Click ‘Update’ to update the configuration. Once updated this configuration will effect for the tenant you are logged in
There are few more configurations available to manage logged in session in identity.xml under Server.JDBCPersistenceManager configuration block.
In IS 510, session is persisted by default and a clean up task runs and remove persisted sessions older than two weeks. These default configurations can be changed if desired with below configurations in identity.xml.
Session persistence can be enabled or disabled from below configuration. However, note that regardless of the configuration it being enabled by default. So this <Enable> element can be used only to disable session persistence.
<SessionDataPersist>
<...>...<...>
<Enable>true</Enable>
<...>...<...>
</SessionDataPersist>
As I mentioned before, session persistence comes with a cleanup service that removes stale sessions.
<SessionDataPersist>
<...>...<...>
<SessionDataCleanUp>
<Enable>true</Enable>
<CleanUpPeriod>10</CleanUpPeriod>
<CleanUpTimeout>60</CleanUpTimeout>
</SessionDataCleanUp>
<...>...<...>
</SessionDataPersist>
Cleanup service is enabled by default. It can be disabled with SessionDataPersist.SessionDataCleanUp.Enable element.
SessionDataPersist.SessionDataCleanUp.CleanUpPeriod defines the time period among two consecutive cleanups in minutes. By default it is 1 day.
SessionDataPersist.SessionDataCleanUp.CleanUpTimeout defines the timeout value of session data in minutes. By default it is two weeks.
For an example if we consider the above configuration it means that the clean up task will run periodically with a period of 10 minutes.
And in a cleanup process it will remove all sessions persisted before 60 minutes.
In addition, below configurations are possible as well under <SessionDataPersist>
SessionDataPersist.OperationDataCleanUp.Enable
Along with persisting session and removing, the respective operation is stored with a timestamp, to reduce session persistence issues due to parallel executions of persistence and clean up processes.
There is a clean up task to clean up this table. By default it’s disabled and it can be enabled with this configuration.
SessionDataPersist.OperationDataCleanUp.CleanUpPeriod
This can be used to configure the timeout value of session operations data. By default it’s 720 minutes. It means at a cleanup task execution, it will remove data older than 720 minutes.
SessionDataPersist.Temporary
Setting this property to true will store data added to some other caches as well. So that in a cache hit if entry is not found, data will be retrieved from the session persistence store.
I just thought of mentioning about the caches for which persistence is enabled with ‘SessionDataPersist.Enable’ and for which persistence is enabled with ‘SessionDataPersist.Temporary’ for further reference.
Caches that persist data and reads from the store when session persistence is enabled.
Cache
|
Class
|
AppAuthFrameworkSessionContextCache
|
org.wso2.carbon.identity.application.authentication.framework.cache.SessionContextCache
|
AuthorizationGrantCache
|
org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache
|
SAMLSSOParticipantCache
|
org.wso2.carbon.identity.sso.saml.cache.SAMLSSOParticipantCache
|
SAMLSSOSessionIndexCache
|
org.wso2.carbon.identity.sso.saml.cache.SAMLSSOSessionIndexCache
|
Caches that persist data and reads from the store only if ‘SessionDataPersist.Temporary’ is set to true.
Cache
|
Class
|
AuthenticationContextCache
|
org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationContextCache
|
AuthenticationRequestCache
|
org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationRequestCache
|
AuthenticationResultCache
|
org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCache
|
InboundAuthenticationContextCache
|
org.wso2.carbon.identity.application.authentication.framework.inbound.InboundAuthenticationContextCache
|
OAuthSessionDataCache
|
org.wso2.carbon.identity.oauth.cache.SessionDataCache
|
SAMLSSOSessionDataCache
|
org.wso2.carbon.identity.sso.saml.cache.SessionDataCache
|
PassiveSTSSessionDataCache
|
org.wso2.carbon.identity.sts.passive.ui.cache.SessionDataCache
|
Thanks for reading …
