A session is a reference identifier on the Jans Auth Server that connects to a
person's authentication state. During an authentication workflow, Auth Server writes a cookie with the
session_id in the person's browser. OpenID Native
SSO defines a way for mobile apps from the same vendor to use the iOS or Android
protected secret storage to store the
session_id. By correlating the session,
the IDP can return an identity assertion (id_token) to a client without needing
to re-authenticate the person. SSO ensues.
For example, let's say a person uses a browser to navigate to the website of
Relying Party (RP1), which redirects to Jans Auth Server for authentication.
Once the person is authenticated, the OP creates a
session_id cookie, sets the
authenticated, and places it in the cache. If the person mavigates
their browser to the website of RP2, it redirects to the OP for authentication; since the
session_id detected via the cookie is already authenticated, the OP
authenticates the person automatically for RP2 (without an authentication
Jans Auth Server stores user session data in its cache. Auth Server performance
retrieving the session will vary depending on whether the session is stored in memory, Redis, Memcached or the database, as controlled by the
cacheProviderType Auth Server configuration property.
The Auth Server session can have one of two states:
unauthenticated- a browser that has started, but not completed an authentication workflow.
authenticated- when a person has successfully authenticated
The following Auth Server configuration properties are related to sessions:
- sessionIdLifetime - lifetime of the OP session in seconds. It sets both the
session_idcookie expiration property as well as the OP session object expiration (if
serverSessionIdLifetimeis not set or equals 0 which is default behavior) in the persistence. Upi cam set the value to 0 or -1, which means that expiration is not set. In this case, the sesion is valid until the browser session ends. Default value is
- serverSessionIdLifetime - dedicated property to control lifetime of the server side OP session object in seconds. Overrides
sessionIdLifetime. By default value is
0, so object lifetime equals
sessionIdLifetime(which sets both cookie and object expiration). It can be useful if goal is to keep different values for client cookie and server object. Default value is
- sessionIdUnusedLifetime - unused OP session lifetime in seconds. If an OP session is not used for a given amount of time, the OP session is removed.
Default value is
- sessionIdUnauthenticatedUnusedLifetime - lifetime in seconds of
unauthenticatedOP session. This determines how long the user can be on the login page while unauthenticated. Default value is
- sessionIdRequestParameterEnabled - Boolean value specifying whether to enable
session_idHTTP request parameter. Default value is
- sessionIdPersistOnPromptNone - specifies whether to persist or update the session object with data if
prompt=none. Default value is
- invalidateSessionCookiesAfterAuthorizationFlow - this is special property which specifies whether to invalidate
consent_session_idcookies right after successful or unsuccessful authorization.
- changeSessionIdOnAuthentication - Using a different session after the user authenticates improves security. The default value is
- sessionIdPersistInCache - If True, sessions are stored according to
cacheProviderType. Otherwise, sessions are persisted in the database. Default value is
- sessionIdPersistInCache Default value is
unused properties, Jans Auth Server calculates this period as
currentUnusedPeriod = now - session.lastUsedAt. So for OP session with states:
sessionIdUnauthenticatedUnusedLifetime, then the session object is removed.
sessionIdUnusedLifetime, then the session object is removed.
Jans Auth Server updates
lastUsedAt property of the session object:
- During creation
- For each Auth Server authentication attempt (regardless of success)
To end another person's session, Jans Auth Server has a Session Revocation Endpoint (
Session Event Interception Scripts#
It is possible to add custom business logic as Jans Auth Server detects session events, see:
How can we force the user to log out if the user is idle on the RP for 4 hours?#
The OP doesn't know anything about end-user activity on the RP. Therefore, the RP has to track activity internally, and when the inactivity period is reached (in this case, 4 hours) the RP should perform front-channel logout.
How can we force the user to log out if the browser is closed?#
-1 value sets the
session_id cookie value to
expires=session, and sets the OP session object to not have an expiration time. Most browsers clear cookies with
undesirable default browser behavior.