A user session is, more specifically, a data structure created by the Session Service to store information about a user session. Cookies are used to store a token that uniquely identifies the session data structure. A session data structure contains attributes and properties that define the user's identity and time-dependent behaviors. One example is the maximum time before the session expires.
The values of most of these attributes and properties are set by services other than the Session Service (primarily, the Authentication Service). The Session Service only provides storage for session information and enforces some of the time-dependent behavior. An example of such enforcement is invalidating and destroying sessions which exceed their maximum idle time or maximum session time.
A session data structure may contain the following:
The session data structure contains the following fixed attributes:
This universal, unique session identifier is an opaque, global string that programmatically identifies a specific session data structure. With this identifier, a resource is able to retrieve session information.
This is specifies the type of client: USER or APPLICATION.
This is the state of the session: VALID, INVALID, DESTROYED or INACTIVE.
This is the maximum time in minutes without activity before the session will expire and the user must reauthenticate.
This is the maximum time in minutes before the session expires and the user must reauthenticate.
This is the maximum time in minutes before the client contacts Identity Server to refresh cached session information
This refers to the last time the user accessed the resource.
This is the time at which the session token was set to a valid state.
The session data structure also contains an extensible set of protected (or core) properties. The following protected properties are set by OpenSSO Enterprise and can only be modified by OpenSSO Enterprise (primarily the Authentication Service).
This is the DN of the organization to which the user belongs.
This is the DN of the user.
This is a list of names to which the user has authenticated. (This property may have more then one value defined as a pipe separated list.)
This is the user's DN as returned by the module, or in the case of modules other than LDAP or Membership, the user name. (All Principals must map to the same user. The UserId is the user DN to which they map.)
This is a user name. (All Principals must map to the same user. The UserToken is the user name to which they map.)
This is the host name or IP address for the client.
This is the highest level to which the user has authenticated.
This is a pipe separated list of authentication modules to which the user has authenticated (for example, module1|module2|module3).
Applicable for service-based authentication only, this is the service to which the user belongs.
This is the client's login URL.
This is the host name of the client.
This attribute contains a value of true if the client browser supports cookies.
This is a string that specifies the time at which the authentication took place.
This attribute contains a value of true if the session has timed out.