Session store
The Connect2id server includes a built-in store for the user sessions with the OpenID Connect provider. The sessions and associated metadata are stored in a Infinispan data grid, which configuration is explained in a separate document.
To edit the session store configuration open the following properties file in
the WEB-INF
directory of the web application:
WEB-INF/sessionStore.properties
Any configuration file property can be overridden by setting a system-wide
property with a matching key, e.g. by using the optional -D
argument at JVM
startup:
-DsessionStore.maxLifetime=-1
sessionStore.apiAccessToken
The access token for the subject session store web API. It is of type Bearer and non-expiring. Must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified the web API will be disabled.
sessionStore.apiAccessToken = ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
sessionStore.maxLifetime
The default maximum session lifetime, in minutes. Applied to newly created
subject sessions where the
max_life
value has been omitted. A negative value implies no time limit. Must
not be zero.
The maximum session lifetime is used in conjunction with the maximum authentication lifetime and the maximum idle time to determine when a session should expire (whichever time event occurs first).
To set the default maximum session lifetime to 14 days (20160 minutes):
sessionStore.maxLifetime = 20160
sessionStore.authLifetime
The default maximum authentication lifetime, in minutes. Applied to newly
created subject sessions where
the auth_life
value has been omitted. A negative value implies no time limit.
Must not be zero.
The maximum authentication lifetime is used in conjunction with the maximum lifetime and the maximum idle time to determine when a session should expire (whichever time event occurs first).
To set the default maximum authentication lifetime to 24 hours (1440 minutes):
sessionStore.authLifetime = 1440
sessionStore.maxIdleTime
The default maximum session idle time, in minutes. Applied to newly created
subject sessions where the
max_idle
value has been omitted. A negative value implies no time limit. Must
not be zero.
The maximum idle time is used in conjunction with the maximum lifetime and the maximum authentication lifetime to determine when a session should expire (whichever time event occurs first).
To set the default maximum idle time to 24 hours (1440 minutes):
sessionStore.maxIdleTime = 1440
sessionStore.quotaPerSubject
The maximum number of concurrent sessions a subject may have across browsers and devices. Should typically be set to not more than ten concurrent sessions.
To set the maximum number of concurrent session to five:
sessionStore.quotaPerSubject = 5
sessionStore.onQuotaExhaustion
The login behaviour when a subject exhausts their session quota.
Policy values:
DENY_LOGIN
– The login request must be rejected.CLOSE_OLD_SESSION
– The next expiring session for the subject must be closed and the new login request must be allowed to proceed.
To set the policy to CLOSE_OLD_SESSION
:
sessionStore.onQuotaExhaustion = CLOSE_OLD_SESSION
sessionStore.purgeInterval
The purge internal for expired sessions, in minutes. Should typically be set between five and ten minutes.
To set a ten minute purge interval:
sessionStore.purgeInterval = 10