<abbrtitle="LemonLDAP::NG">LL::NG</abbr> rely on a session mechanism with the session ID as a shared secret between the user (in <ahref="ssocookie.html"class="wikilink1"title="documentation:2.0:ssocookie">SSO cookie</a>) and the <ahref="start.html#sessions_databases"class="wikilink1"title="documentation:2.0:start">session database</a>.
</p>
<p>
To configure sessions, go in Manager, <code>General Parameters</code> » <code>Sessions</code>:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Store user password in session data</strong>: see <ahref="passwordstore.html"class="wikilink1"title="documentation:2.0:passwordstore">password store documentation</a>.</div>
</li>
<liclass="level1"><divclass="li"><strong>Sessions timeout</strong>: Maximum lifetime of a session. Old sessions are deleted by a cron script.</div>
</li>
<liclass="level1"><divclass="li"><strong>Sessions activity timeout</strong>: Maximum inactivity duration.</div>
</li>
<liclass="level1"><divclass="li"><strong>Sessions update interval</strong>: Minimum interval used to update session when activity timeout is set.</div>
</li>
</ul>
<divclass="notewarning">Session activity timeout requires Handlers to have a write access to sessions database.
<liclass="level1"><divclass="li"><strong>Opening conditions</strong>: rules which are evaluated before granting session, see <ahref="grantsession.html"class="wikilink1"title="documentation:2.0:grantsession">Grant Session plugin documentation</a></div>
<liclass="level1"><divclass="li"><strong>Sessions Storage</strong>: you can define here which session backend to use, with the backend options. See <ahref="start.html#sessions_database"class="wikilink1"title="documentation:2.0:start">sessions database configuration</a> to know which modules you can use. Here are some global options that you can use with all sessions backends:</div>
<liclass="level2"><divclass="li"><strong>generateModule</strong>: allows one to override the default module that generates sessions identifiers. For security reasons, we recommend to use Lemonldap::NG::Common::Apache::Session::Generate::SHA256</div>
<liclass="level2"><divclass="li"><strong>IDLength</strong>: length of sessions identifiers. Max is 32 for MD5 and 64 for SHA256</div>
</li>
</ul>
</li>
<liclass="level1"><divclass="li"><strong>Multiple sessions</strong>, you can restrict the number of open sessions:</div>
<ul>
<liclass="level2"><divclass="li"><strong>One session only by user</strong>: a user can not open 2 sessions with the same account.</div>
</li>
<liclass="level2"><divclass="li"><strong>One <abbrtitle="Internet Protocol">IP</abbr> only by user</strong>: a user can not open 2 sessions with different <abbrtitle="Internet Protocol">IP</abbr>.</div>
</li>
<liclass="level2"><divclass="li"><strong>One user by <abbrtitle="Internet Protocol">IP</abbr> address</strong>: 2 users can not open a session with the same <abbrtitle="Internet Protocol">IP</abbr>.</div>
</li>
<liclass="level2"><divclass="li"><strong>Display deleted sessions</strong>: display deleted sessions on authentication phase.</div>
</li>
<liclass="level2"><divclass="li"><strong>Display other sessions </strong>: display other sessions on authentication phase, with a link to delete them.</div>
<liclass="level1"><divclass="li"><strong>Persistent sessions</strong>: are used for storing users log in history, 2F devices, OIDCConsents and so on. Heavy organizations may have to disable persistent sessions storage to avoid too many database tuples.</div>
<ul>
<liclass="level2"><divclass="li"><strong>Disable storage</strong>: Do not store user persitent sessions.</div>
<liclass="level1"><divclass="li"> LLNG Portal provides a simple tool to delete a session: <code>llngDeleteSession</code>. To use it, simply give it the user identifier <em>(wildcard are authorizated)</em>:</div>