Sun Java System Access Manager 7.1 Technical Overview

Session Termination

A user session can be terminated in any of following ways:

User Ends Session

When a user explicitly logs out of Access Manager by clicking on a link to the Logout Service the following events occur:

  1. The Logout Service receives the Logout request, and performs the following steps:

    1. Marks user’s session as destroyed.

    2. Destroys session.

    3. Returns a successful logout page to the user.

  2. The Session Service notifies applications which are configured to interact with the session.

    In this case, each of the policy agents was configured for Session Notification, and each is sent a document instructing the agent that the session is now invalid.

  3. The policy agents flush the session from cache and the user session ends.

Administrator Ends Session

Access Manager administrators with appropriate permissions can terminate a user session at any time. When an administrator uses the Sessions tab in the Access Manager console to end a user’s session, the following events occur:

  1. The Logout Service receives the Logout request, and performs the following steps:

    1. Marks user’s session as destroyed.

    2. Destroys session.

  2. The Session Service notifies applications which are configured to interact with the session.

    In this case, each of the policy agents was configured for Session Notification, and each is sent a document instructing the agent that the session is now invalid.

  3. The policy agents flush the session from cache and the user session ends.

Access Manager Enforces Timeout Rules

When a session timeout limit is reached, the Session Service completes the following steps:

  1. Changes session status to invalid.

  2. Displays time-out message to user.

  3. Starts timer for purge operation delay (default is 60 minutes).

  4. When purge operation delay time is reached, purges or destroys the session.

  5. If a session validation request comes in after the purge delay time is reached, displays login page to user.

Session Quota Constraints

Access Manager allows administrators to constrain the amount of sessions one user can have. If the user has more sessions than the administrator will allow, one (or more) of the existing sessions can be destroyed.