Upgrading Sessions

The Authentication Service enables you to upgrade a valid session token based on a second, successful authentication performed by the same user to the same realm. If a user with a valid session token attempts to authenticate to a resource secured by his current realm and this second authentication request is successful, the session is updated with the properties based on the new authentication. If the authentication fails, the user’s current session is returned without an upgrade. If the user with a valid session attempts to authenticate to a resource secured by a different realm, the user will receive a message asking whether they would like to authenticate to the new realm. The user can, at this point, maintain the current session or attempt to authenticate to the new realm. Successful authentication to the new realm will result in the old session being destroyed and a new one being created.

During session upgrade, if a login page times out, redirection to the original success URL will occur. Timeout values are determined based on:

• The value of the timeout attribute of the Callback property of the page in each authentication module's specific XML file. The default value is 1 minute. This value can not be set using the OpenSSO Enterprise console.

• The value of the Invalidate Session Max Time property is the duration (in minutes) after which an invalid session will be removed from the session table after it is created but before the user logs in.

  1. Click Servers and Sites under the Configuration tab.

  2. Click Default Server Settings.

  3. Click the Session tab to modify Invalidate Session Max Time.

• The value of the Maximum Session Time attribute; by default, 120 minutes.

  1. Click Global under the Configuration tab.

  2. Click Session in the Service Name list.

  3. Modify Maximum Session Time.

The values of Invalidate Session Max Time and Maximum Session Time should be greater than the value of the timeout attribute; otherwise, the valid session information during session upgrade will be lost and URL redirection to the previous successful URL will fail.