Monday, March 2, 2015

How to manage Session in WSO2 IS 5.0.0 + SP01


Please note that the configurations and the post below applies only for WSO2 IS 5.0.0 + SP01

In authentication framework logged in session for a user is maintained with the commonAuthId session cookie in the SessionContextCache(AppAuthFrameworkSessionContextCache).
By default no expiration time is set to the commonAuthId cookie and the cache gets invalidated by 15 minutes which is the default cache invalidate time. This cache expiary time is hard coded in org.wso2.carbon.caching.impl.CacheImpl. Thus,
it's not configurable at the moment.
So this makes the idle timeout for the logged in session as 15 minutes which is not configurable.
Further, following configurations are available to manage logged in session timeout in identity.xml under Server.JDBCPersistenceManager configuration block.
We can enable session data persistence with below.

<SessionDataPersist>
<...>...<...>
<Enable>true</Enable>
<...>...<...>
</SessionDataPersist>

This indicates to store session data associated with the logged in session.
Session data persistence comes with a cleanup service configuration that removes stale sessions.

<SessionDataPersist>
<...>...<...>
<CleanUp>
<Enable>true</Enable>
<Period>10</Period>
<TimeOut>60</TimeOut>
</CleanUp>
<...>...<...>
</SessionDataPersist>


Cleanup service gets executed only if it is enabled with SessionDataPersist.CleanUp.Enable.
SessionDataPersist.CleanUp.Period defines the time period among two consecutive cleanups in minutes. By default it is 1 day.
SessionDataPersist.CleanUp.TimeOut defines the timeout value of session data in minutes. By default it is two weeks.
For an example if we consider the above configuration it means that the clean up task will run periodically with a period of 10 minutes.
And in a cleanup process it will remove all session data persisted before 60 minutes.

Remember me time period can be configured as below.

<SessionDataPersist>
<...>...<...>
<RememberMePeriod>60</RememberMePeriod>
<...>...<...>
</SessionDataPersist>


Configuring above will set the expire time for the commonAuthId cookie only if remember me option is selected when user logs in. So as per above configuration the expiration time for the commonAuthId cookie is 60 minutes.
By default if remember me option is selected the cookie expiration time is set to two weeks.
Thus, the browser will expire the cookie after this much of time.
Further, if the logged in session is invalidated from the cache, it will be restored back to the cache, if and only if the remember me option is selected. Thus, no matter that session data persistence is enabled if remember me option is not selected the idle time out of the logged in session becomes 15 minutes which is the default cache invalidate time.

In addition below configurations are possible as well under <SessionDataPersist>.

SessionDataPersist.Only
Setting this to true will disable caching and session data will only be persisted. Thus, session data will be available only if the user has selected remember me option when login. Otherwise even though session data is persisted it's not retrieved.
This also disables caching in AthenticationContextCache and AuthenticationResultCache as well.

SessionDataPersist.Temporary
Setting this property to true will store data added to AuthenticationContextCache and AuthenticationResultCache as well.
In a cache hit if entry is not found data will be retrieved from the session persistence store

I will update the post on how to test session timeout later. :)

6 comments:

  1. Malithi I have tried to follow this but it seems that whatever I set has no effect on the session timeout. Trying to configure an Identity server 5.0 which is also a key manager to have a session timeout.

    ReplyDelete
  2. Hi Malithi,
    Could you let me know how to control the session timeout for "sessionDataKey" from login page(Authentication end point project)? If you are in login page for >10minutes then if we try to login using proper credentials , system redirects to saml_redirect.jsp.

    Thanks,
    Prabu

    ReplyDelete
    Replies
    1. Hi Prabu,

      Sorry for the late reply.

      Authentication endpoint web application is simply used to show login pages and that is stateless. 'sessionDataKey' parameter is communicated between the authentication endpoint and the authentication framework to track authentication request.
      Unfortunately with IS 5.0.0 we cannot configure the cache time out for this AuthenticationRequestCache, which is by default 15 minutes. Neither we can enable session persistence for this cache with 'SessionDataPersist.Temporary' property.
      So we cannot control the time out for this cache key (sessionDataKey). Hence, if you stay in the login page for more than 15 minutes, and try to login, the authentication framework will redirect to the retry page, since it cannot find the request initiated for the received 'sessionDataKey'.

      But, this can be done in WSO2 IS 5.1.0 by enabling session persistence for this cache with 'SessionDataPersist.Temporary' property.

      Thanks,
      Malithi.

      Delete
    2. Hi Malithi,

      If user bookmark the SSO login page.As the default time interval for sessionData key is 15 min, after 15 min every time user visits the page clicking the bookmark link and enters the login credentials is redirecting to error page. How can we over come this?

      Delete
  3. i am getting 'Not a valid SAML 2.0 Request Message!' on browser for IDP intiated sso. In the logs its showing ' DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Invalid request message or single logout message '. Please help me on this

    ReplyDelete
  4. Can we pass sessionDataKey in any other way besides making it part of the request URL. We had some security concerns of exposing the sessionDataKey parameter

    ReplyDelete