Objects in the Session Data Structure

When a user logs in and is successfully authenticated, or verified to be who the user says he is, the user is assigned a session. A session is a data structure that contains maximum timeout limits and information about caching time limits. Session service also generates a session token for the new session data structure. The session token, also known as a sessionID, is an encrypted, unique string that identifies the specific session instance. If the sessionID is known to a protected resource such as an application, the application can access the session and all user information contained in it.

Minimally, an Access Manager session data structure stores the following information about a user session:

Maximum Idle Time

Maximum number of minutes without activity before the session will expire and the user must reauthenticate.

Maximum Session Time

Maximum number of minutes (activity or no activity) before the session expires and the user must reauthenticate.

Maximum Caching Time

Maximum number of minutes before the client contacts Access Manager to refresh cached session information.

Internally, these session attributes are used to enforce Access Manager timeout limits.

A session can also contain additional attributes and properties which can be used by other applications. For example, a session data structure can store information about a user’s identity, or about a user’s browser preferences. You can configure Access Manager to include the following types of information in a session:

• Fixed session attributes

• Protected properties

• Custom properties

For a detailed summary of information that can be included in a session, see the Sun Java System Access Manager 7 2005Q4 Developer’s Guide.