Sun OpenSSO Enterprise 8.0 Developer's Guide

Inside a User Session

A user session is, more specifically, a data structure created by the Session Service to store information about a user session. Cookies are used to store a token that uniquely identifies the session data structure. A session data structure contains attributes and properties that define the user's identity and time-dependent behaviors. One example is the maximum time before the session expires.

The values of most of these attributes and properties are set by services other than the Session Service (primarily, the Authentication Service). The Session Service only provides storage for session information and enforces some of the time-dependent behavior. An example of such enforcement is invalidating and destroying sessions which exceed their maximum idle time or maximum session time.

A session data structure may contain the following:

Session Attributes

The session data structure contains the following fixed attributes:

sun.am.universalIdentifier

This universal, unique session identifier is an opaque, global string that programmatically identifies a specific session data structure. With this identifier, a resource is able to retrieve session information.

Type

This is specifies the type of client: USER or APPLICATION.

State

This is the state of the session: VALID, INVALID, DESTROYED or INACTIVE.

maxIdleTime

This is the maximum time in minutes without activity before the session will expire and the user must reauthenticate.

maxSessionTime

This is the maximum time in minutes before the session expires and the user must reauthenticate.

maxCachingTime.

This is the maximum time in minutes before the client contacts Identity Server to refresh cached session information

latestAccessTime

This refers to the last time the user accessed the resource.

creationTime

This is the time at which the session token was set to a valid state.

Protected Properties

The session data structure also contains an extensible set of protected (or core) properties. The following protected properties are set by OpenSSO Enterprise and can only be modified by OpenSSO Enterprise (primarily the Authentication Service).

Organization

This is the DN of the organization to which the user belongs.

Principal

This is the DN of the user.

Principals

This is a list of names to which the user has authenticated. (This property may have more then one value defined as a pipe separated list.)

UserId

This is the user's DN as returned by the module, or in the case of modules other than LDAP or Membership, the user name. (All Principals must map to the same user. The UserId is the user DN to which they map.)

UserToken

This is a user name. (All Principals must map to the same user. The UserToken is the user name to which they map.)

Host

This is the host name or IP address for the client.

authLevel

This is the highest level to which the user has authenticated.

AuthType

This is a pipe separated list of authentication modules to which the user has authenticated (for example, module1|module2|module3).

Service

Applicable for service-based authentication only, this is the service to which the user belongs.

loginURL

This is the client's login URL.

Hostname

This is the host name of the client.

cookieSupport

This attribute contains a value of true if the client browser supports cookies.

authInstant

This is a string that specifies the time at which the authentication took place.

SessionTimedOut

This attribute contains a value of true if the session has timed out.