2020-05-14 23:29:41 +02:00
Sessions
========
LL::NG rely on a session mechanism with the session ID as a shared
secret between the user (in :doc: `SSO cookie<ssocookie>` ) and the
2020-05-18 09:56:39 +02:00
:ref: `session database<start-sessions-database>` .
2020-05-14 23:29:41 +02:00
To configure sessions, go in Manager, `` General Parameters `` »
`` Sessions `` :
- **Store user password in session data** : see
:doc: `password store documentation<passwordstore>` .
2020-10-30 16:53:40 +01:00
- **Display session identifier** : Should the session ID be displayed in the manager's session explorer. The session ID is a sensitive information that should only be shown to highly trusted administrators.
2020-05-14 23:29:41 +02:00
- **Sessions timeout** : Maximum lifetime of a session. Old sessions are
deleted by a cron script.
- **Sessions activity timeout** : Maximum inactivity duration.
- **Sessions update interval** : Minimum interval used to update session
when activity timeout is set.
2020-05-21 15:13:24 +02:00
.. danger ::
2020-05-14 23:29:41 +02:00
Session activity timeout requires Handlers to have a write
access to sessions database.
- **Opening conditions** : rules which are evaluated before granting
session, see :doc: `Grant Session plugin documentation<grantsession>`
- **Sessions Storage** : you can define here which session backend to
use, with the backend options. See
2020-05-18 09:56:39 +02:00
:ref: `sessions database configuration<start-sessions-database>` to
know which modules you can use. Here are some global options that you
can use with all sessions backends:
2020-05-14 23:29:41 +02:00
- **generateModule** : allows one to override the default module that
generates sessions identifiers. For security reasons, we recommend
to use
Lemonldap::NG::Common::Apache::Session::Generate::SHA256
- **IDLength** : length of sessions identifiers. Max is 32 for MD5
and 64 for SHA256
- **Multiple sessions** , you can restrict the number of open sessions:
- **One session per user** : when a user logs in, all their previous
sessions are removed
- **One IP address per user** : when a user logs in, all their
previous sessions on a different IP address are removed
- **One user per IP address** : when a user logs in, all sessions
that belong to a different user on that IP address are removed
- **Display deleted sessions** : display deleted sessions on
authentication phase.
2020-05-18 09:56:39 +02:00
- **Display other sessions** : display other sessions on
2020-05-14 23:29:41 +02:00
authentication phase, with a link to delete them.
- **Persistent sessions** : are used for storing users log in history,
2F devices, OIDCConsents and so on. Heavy organizations may have to
disable persistent sessions storage to avoid too many database
tuples.
- **Disable storage** : Do not store user persitent sessions.
2020-05-21 15:13:24 +02:00
.. attention ::
2020-05-14 23:29:41 +02:00
Note that since HTTP protocol is not connected,
restrictions are not applied to the new session: the oldest are
destroyed.
Command-line tools
==================
2020-12-21 21:28:01 +01:00
.. versionadded :: 2.0.9
You can use the `` lemonldap-ng-sessions `` tool to search, update or delete sessions. See a few examples in :ref: `the examples page <cli-sessions>`
2020-12-21 21:29:34 +01:00
.. deprecated :: 2.0.10
2020-05-14 23:29:41 +02:00
- LLNG Portal provides a simple tool to delete a session:
`` llngDeleteSession `` . To use it, simply give it the user identifier
*(wildcard are authorizated)* :
2020-05-21 15:13:24 +02:00
.. code-block :: shell
2020-05-14 23:29:41 +02:00
# Delete all sessions opened by user "dwho"
2020-05-18 09:56:39 +02:00
$ llngDeleteSession dwho
2020-05-14 23:29:41 +02:00
# Delete all sessions opened by user starting with "dh"
$ llngDeleteSession dh*
# Delete all sessions:
$ llngDeleteSession *