Session store configuration

The Connect2id server includes a built-in store for the user sessions with the OpenID Connect provider. The sessions and associated metadata are stored in a Infinispan data grid which configuration is explained in a separate document.

To edit the session store configuration open the following properties file in the WEB-INF directory of the web application:

WEB-INF/sessionStore.properties

Any configuration file property can be overridden by setting a system-wide property with a matching key, e.g. by using the optional -D argument at JVM startup:

-DsessionStore.maxLifetime=-1

sessionStore.apiAccessToken

The access token for the subject session store web API. It is of type Bearer and non-expiring. Must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified the web API will be disabled.

sessionStore.apiAccessToken = ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

sessionStore.maxLifetime

The default maximum session lifetime, in minutes. Applied to newly created subject sessions where the max_life value has been omitted. A negative value implies no time limit. Must not be zero.

To set the default maximum session lifetime to 14 days (20160 minutes):

sessionStore.maxLifetime = 20160

sessionStore.authLifetime

The default maximum authentication lifetime, in minutes. Applied to newly created subject sessions where the auth_life value has been omitted. A negative value implies no time limit. Must not be zero.

To set the default maximum authentication lifetime to 24 hours (1440 minutes):

sessionStore.authLifetime = 1440

sessionStore.maxIdleTime

The default maximum session idle time, in minutes. Applied to newly created subject sessions where the max_idle value has been omitted. A negative value implies no time limit. Must not be zero.

To set the default maximum idle time to 24 hours (1440 minutes):

sessionStore.maxIdleTime = 1440

sessionStore.quotaPerSubject

The maximum number of concurrent sessions a subject may have across browsers and devices. Should typically be set to not more than ten concurrent sessions.

To set the maximum number of concurrent session to five:

sessionStore.quotaPerSubject = 5

sessionStore.onQuotaExhaustion

The login behaviour when a subject exhausts their session quota.

Policy values:

  • DENY_LOGIN -- The login request must be rejected.
  • CLOSE_OLD_SESSION -- The next expiring session for the subject must be closed and the new login request must be allowed to proceed.

To set the policy to CLOSE_OLD_SESSION:

sessionStore.onQuotaExhaustion = CLOSE_OLD_SESSION

sessionStore.purgeInterval

The purge internal for expired sessions, in minutes. Should typically be set between five and ten minutes.

To set a ten minute purge interval:

sessionStore.purgeInterval = 10