test

Sun Java System Access Manager 7 2005Q4 Technical Overview

Session Termination

A user session can be terminated in one of three ways:

User Ends Session

When a user explicitly logs out of Access Manager the following events occur:

  1. The user logs out by clicking on a link to the Logout Service.

  2. The Logout Service receives the Logout request, and then performs the following steps:

    1. Marks user’s session as destroyed.

    2. Destroys session.

    3. Returns a successful logout page to the user.

  3. The Session Service notifies applications which are configured to interact with the session.

    In this case, each of the policy agents was configured for Session Notification, and each is sent a document instructing the agent that the session is now invalid.

  4. The policy agents flush the session from cache and the user session ends.

Administrator Ends Session

Access Manager Administrators with appropriate permissions can terminate a user session at any time. When an administrator ends a session, the following events occur:

  1. The administrator uses Sessions tab in the Access Manager console to end the user’s session.

  2. The Logout Service receives the Logout request, and then performs the following steps:

    1. Marks user’s session as destroyed.

    2. Destroys session.

  3. The Session Service notifies applications which are configured to interact with the session.

    In this case, each of the policy agents was configured for Session Notification, and each is sent a document instructing the agent that the session is now invalid.

  4. The policy agents flush the session from cache and the user session ends.

Access Manager Enforces Timeout Rules

When a session timeout limit is reached, Session Service completes the following steps:

  1. Changes session status to invalid.

  2. Displays time-out message to user.

  3. Starts timer for purge operation delay (default is 60 minutes).

  4. When purge operation delay time is reached, purges or destroys the session.

  5. If a session validation request comes in after the purge delay time is reached, displays login page to user.