Session store
The Connect2id server includes a store for the end-user sessions. Its configuration properties are located in
WEB-INF/sessionStore.properties
The configuration properties are grouped into sections:
Any property in the configuration file can be overridden with a Java system property, e.g. by setting the optional -D argument at JVM startup:
-DsessionStore.maxLifetime=-1
The external configuration guide has tips for setting system properties from environment variables, local files and other locations.
1. Web API
sessionStore.apiAccessTokenSHA256
The access token for the subject session store web API, represented by its SHA-256 hash (in hexadecimal format). The hash is a measure to prevent accidental leakage of the token through configuration files, logs, etc. The token is of type Bearer, non-expiring and must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified the web API is disabled.
Additional access tokens, for token roll-over or other needs, can be configured
by appending a dot (.) with a unique label to the property name, e.g. as
sessionStore.apiAccessTokenSHA256.1=abc...
.
The hash for a token with value ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
:
sessionStore.apiAccessTokenSHA256=cca68b8b82bcf0b96cb826199429e50cd95a042f8e8891d1ac56ab135d096633
sessionStore.secondaryAPIAccessTokenSHA256
Optional secondary access token for the subject session store web API. Has the same format as sessionStore.apiAccessTokenSHA256. Can be used to facilitate token roll-over. Must not be set if not needed.
Use sessionStore.apiAccessTokenSHA256.*
from v10.0 on.
sessionStore.secondaryAPIAccessTokenSHA256=304b07b6d8eb155a957b965831be9ce39fb098554a2d5f2047ee0a0491022dea
2. Session defaults and policies
sessionStore.maxLifetime
The default maximum session lifetime, in minutes. Applied to newly created
subject sessions with an
omitted max_life
value. A negative value means no time limit. Must not be
zero. The default value is 259200
minutes (180 days).
This guide explains how the three session timeouts relate to one another.
To set the default maximum session lifetime to 14 days (20160 minutes):
sessionStore.maxLifetime=259200
sessionStore.authLifetime
The default maximum authentication lifetime, in minutes. Applied to newly
created subject sessions with
an omitted auth_life
value. A negative value means no time limit. Must not be
zero. The default value is 10080
minutes (30 days).
This guide explains how the three session timeouts relate to one another.
To set the default maximum authentication lifetime to 24 hours (1440 minutes):
sessionStore.authLifetime=1440
sessionStore.maxIdleTime
The default maximum session idle time, in minutes. Applied to newly created
subject sessions with an
omitted max_idle
value. A negative value means no time limit. Must not be
zero. The default value is 1440
minutes (10 days).
This guide explains how the three session timeouts relate to one another.
To set the default maximum idle time to 24 hours (1440 minutes):
sessionStore.maxIdleTime=1440
sessionStore.quotaPerSubject
The maximum number of concurrent sessions a subject may have across browsers
and devices. Must not be set to more than 25 concurrent sessions. The default
value is 5
.
To set the maximum number of concurrent session to ten:
sessionStore.quotaPerSubject=10
sessionStore.onQuotaExhaustion
The login behaviour when a subject exhausts their session
quota. The default value is
CLOSE_OLD_SESSION
.
Policy values:
-
DENY_LOGIN
– The login request must be rejected. -
CLOSE_OLD_SESSION
– The next expiring session for the subject must be closed and the new login request must be allowed to proceed. This is the default policy.
To set the policy to CLOSE_OLD_SESSION
:
sessionStore.onQuotaExhaustion=CLOSE_OLD_SESSION
sessionStore.acceptLegacySIDs
Set to true
to accept legacy session identifiers (SID) without HMAC
protection. Required to enable import of
sessions from Connect2id server
versions 5x and older. The default value is false
.
sessionStore.acceptLegacySIDs=false
3. Internal configuration
sessionStore.internal.subjectIndexPurgeInterval
The interval for purging orphaned subject index keys, in seconds. If less than 1 the purge thread is disabled. The default value is -1 (disabled).
sessionStore.internal.subjectIndexPurgeInterval=-1
sessionStore.sessionMap.expirationInterval
Overrides the default wake-up interval of the Infinispan thread for expiring
subject sessions which max lifetime was reached. The default value is 600000
milliseconds, or 10 minutes. Zero (0
) disables the expiration thread.
This configuration can only be set or overridden via a Java system property.
To increase the interval to one hour:
-DsessionStore.sessionMap.expirationInterval=3600000
To disable the Infinispan expiration thread when all sessions are stored in AWS DynamoDB and also automatically expired there via a “ttl” attribute:
-DsessionStore.sessionMap.expirationInterval=0