Wso2is session timeouts only work with "Remember me" otherwise the default is 15 minutes
I have a wso2is 5 + SP1 setup to continue sessions at https://docs.wso2.com/display/IS500/Enabling+Authentication+Session+Persistence
However, users who do not select "Remember Me" will be forced to re-authenticate wso2is after 15 minutes. These users have their cookie commonAuthId without expiration (end of browsing session). Users who select "Remember me" will receive their commonAuthId cookie with a set 24-hour expiration date and will not be prompted to re-authorize after 15 minutes.
In both scenarios, it seems that session serialization / caching is working correctly as both commonAuthId values will be stored in the IDN_AUTH_SESSION_STORE table in the support database.
For non-RememberMe, the log looks like this:
[2015-07-17 08:16:00,257] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - retrieving authentication request from cache.. {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,258] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Initializing the flow {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,258] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Framework contextId: 07084e16-7dd9-4726-bf9c-a9a42b06dfe1 {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,258] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Starting an authentication flow {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,259] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Loading Basic Application Data of default {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl}
[2015-07-17 08:16:00,260] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - commonAuthId cookie is available with the value: 4536ad78-26f5-44cb-97bb-080dfc319d13 {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-17 08:16:00,260] DEBUG {org.wso2.carbon.caching.impl.CacheImpl} - Using local cache {org.wso2.carbon.caching.impl.CacheImpl}
[2015-07-17 08:16:00,285] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Failed to find the SessionContext from the cache. Possible cache timeout. {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
This last line is a rejection
SessionContext sessionContext = FrameworkUtils.getSessionContextFromCache(cookie
.getValue());
in DefaultRequestCoordinator
. I'm just not sure why it is returning null for non RememberMe users. In contrast, here's a log from user RememberMe:
[2015-07-20 12:37:47,123] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - retrieving authentication request from cache.. {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,123] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Initializing the flow {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,123] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Framework contextId: a6bb7032-e089-4e8f-8ca4-c2f790a767f4 {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,123] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Starting an authentication flow {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,127] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - commonAuthId cookie is available with the value: c2b28178-ddcb-4156-b258-4e0fb5ffcdb8 {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,127] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Service Provider is: default {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,127] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - A previously authenticated sequence found for the SP: default {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
[2015-07-20 12:37:47,127] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Already authenticated by username: dillon {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
Here are the relevant sections of our identity.xml and web.xml that have timeouts set. Our datastore is Oracle db.
identity.xml:
<SessionDataPersist>
<PoolSize>0</PoolSize>
<Enable>true</Enable>
<RememberMePeriod>1440</RememberMePeriod>
<CleanUp>
<Enable>true</Enable>
<Period>30</Period>
<TimeOut>720</TimeOut>
</CleanUp>
<Temporary>false</Temporary>
</SessionDataPersist>
...
<SessionContextCache>
<Enable>true</Enable>
<Capacity>100000</Capacity>
</SessionContextCache>
web.xml
<session-config>
<session-timeout>720</session-timeout>
</session-config>
source to share