Sessions
LL::NG rely on a session mechanism with the session ID as a shared
secret between the user (in SSO cookie) and the
session database.
To configure sessions, go in Manager, General Parameters
»
Sessions
:
- Store user password in session data: see
password store documentation.
- Display session identifier: Should the session ID be displayed in the manager’s session explorer. The session ID is a sensitive information that should only be shown to highly trusted administrators.
- Sessions timeout: Maximum lifetime of a session. Old sessions are
deleted by a cron script.
- Sessions activity timeout: Maximum inactivity duration.
- Sessions update interval: Minimum interval used to update session
when activity timeout is set.
Danger
Session activity timeout requires Handlers to have a write
access to sessions database.
- Opening conditions: rules which are evaluated before granting
session, see Grant Session plugin documentation
- Sessions Storage: you can define here which session backend to
use, with the backend options. See
sessions database configuration to
know which modules you can use. Here are some global options that you
can use with all sessions backends:
- generateModule: allows one to override the default module that
generates sessions identifiers. For security reasons, we recommend
to use
Lemonldap::NG::Common::Apache::Session::Generate::SHA256
- IDLength: length of sessions identifiers. Max is 32 for MD5
and 64 for SHA256
- Multiple sessions, you can restrict the number of open sessions:
- One session per user: when a user logs in, all their previous
sessions are removed
- One IP address per user: when a user logs in, all their
previous sessions on a different IP address are removed
- One user per IP address: when a user logs in, all sessions
that belong to a different user on that IP address are removed
- Display deleted sessions: display deleted sessions on
authentication phase.
- Display other sessions: display other sessions on
authentication phase, with a link to delete them.
- Persistent sessions: are used for storing users log in history,
2F devices, OIDCConsents and so on. Heavy organizations may have to
disable persistent sessions storage to avoid too many database
tuples.
- Disable storage: Do not store user persitent sessions.
Attention
Note that since HTTP protocol is not connected,
restrictions are not applied to the new session: the oldest are
destroyed.