Cookies and Session Objects

The Session Service uses cookies and creates session objects to store information about a user session. In an Access Manager user session, session service is most commonly used to enforce timeout limits. For example, you can use session service to configure the Access Manager application so that the user is automatically logged out after x minutes of Access Manager inactivity. The session service can also be used to store additional information to be used by other applications.

Cookies Store User Information

A cookie is an information packet generated by a web server and passed to a web browser. The cookie maintains information about the user’s interactions with the web server that generated the cookie. For example, a web server can generate a cookie containing information a web browser needs to display a page according to the user’s preferences for language or layout.

The fact that a web server generates a cookie for a user does not guarantee that the user is allowed access to protected resources. The cookie simply stores information about the user.

Cookies are domain-specific. For example, a cookie generated by a web server within DomainA cannot be used by a web server in DomainB. Cookies can be passed only between servers in the same domain in which the cookie was set. Similarly, servers can set cookies only on servers within in their own domain.

Objects in the Session Data Structure

When a user logs in and is successfully authenticated, or verified to be who the user says he is, the user is assigned a session. A session is a data structure that contains maximum timeout limits and information about caching time limits. Session service also generates a session token for the new session data structure. The session token, also known as a sessionID, is an encrypted, unique string that identifies the specific session instance. If the sessionID is known to a protected resource such as an application, the application can access the session and all user information contained in it.

Minimally, an Access Manager session data structure stores the following information about a user session:

Maximum Idle Time

Maximum number of minutes without activity before the session will expire and the user must reauthenticate.

Maximum Session Time

Maximum number of minutes (activity or no activity) before the session expires and the user must reauthenticate.

Maximum Caching Time

Maximum number of minutes before the client contacts Access Manager to refresh cached session information.

Internally, these session attributes are used to enforce Access Manager timeout limits.

A session can also contain additional attributes and properties which can be used by other applications. For example, a session data structure can store information about a user’s identity, or about a user’s browser preferences. You can configure Access Manager to include the following types of information in a session:

• Fixed session attributes

• Protected properties

• Custom properties

For a detailed summary of information that can be included in a session, see the Sun Java System Access Manager 7 2005Q4 Developer’s Guide.