Server-side sessions reside in a database internal to Identity Cloud called the Core Token Service (CTS) token store.
When you configure Identity Cloud to use server-side sessions, Identity Cloud sends session references to clients. The references do not contain any of the session state information. Identity Cloud can modify sessions during their lifetime without changing clients' references to the session.
Identity Cloud uses authentication sessions to manage authentication journeys before a user has authenticated successfully.
During authentication, the authentication session reference is returned to the
client after each call to the
authenticate endpoint and stored in the
object of the JSON response.
Identity Cloud maintains the authentication session in the CTS token store. After the authentication flow has completed, if the realm to which the user has authenticated is configured for client-side sessions, Identity Cloud returns the session state to the client and deletes the server-side session.
After the user has successfully authenticated, Identity Cloud returns a session reference, which is known as an SSO token.
For browser clients, Identity Cloud sets a cookie in the browser that contains the session reference.
For REST clients, Identity Cloud returns the session reference in response to calls
Server-side sessions can be cached in memory. When a session that is being requested is cached, session retrieval is nearly instantaneous.
Identity Cloud automatically caches server-side sessions after retrieving them from the CTS token store. No configuration is required to enable server-side session caching.