Identity Cloud

Session termination

Sessions[1] enable single sign-on, letting authenticated users access system resources in Identity Cloud’s control without re-authenticating.

User sessions are terminated when a configured timeout is reached, or when a user performs actions that cause session termination. Session termination effectively logs the user out of all systems protected by Identity Cloud.

Identity Cloud terminates server-side sessions in four situations:

Under these circumstances, Identity Cloud responds by removing server-side sessions from the CTS token store and from server memory caches. With the user’s session no longer present in CTS, Identity Cloud forces the user to reauthenticate during subsequent attempts to access protected resources.

When a user explicitly logs out of Identity Cloud, Identity Cloud also attempts to invalidate the tenant session cookie in the user’s browser by sending a Set-Cookie header with an invalid session ID and a cookie expiration time that is in the past. In the case of administrator session termination and session timeout, Identity Cloud cannot invalidate the tenant session cookie until the next time the user accesses Identity Cloud.

Configure session termination settings

Before you can configure the settings for session termination in a given realm, add the Session service configuration to that realm if necessary:

  1. In the AM admin UI, go to Realms > Realm Name.

  2. Select Services.

  3. Open the interface that lets you configure session termination:

    • If the Session service appears in the list of services configured for the realm, select Session.

    • If the Session service does not appear in the list of services configured for the realm, add it:

      1. Click Add a Service.

      2. Select Session from the drop-down list.

    The Session page appears, showing the Dynamic Attributes tab.

Set maximum session time-to-live

When configuring the maximum session time-to-live, balance security and user experience. Depending on your application, it may be acceptable for your users to log in once a month. Financial applications, for example, often terminate their sessions in less than an hour.

The longer a session is valid, the larger the window during which a malicious user could impersonate a user if they were able to hijack a session cookie.

  1. In the AM admin UI, go to Realms > Realm Name.

  2. Select Services.

  3. Select Session.

  4. On the Maximum Session Time property, configure a value suitable for your environment.

  5. Save your changes.

Set maximum session idle timeout

Consider a user with a valid session navigating through pages or making changes to the configuration. If for any reason they leave their desk and their computer remains open, a malicious user could take the opportunity to impersonate them.

Session idle timeout can help mitigate those situations, by logging out users after a specified duration of inactivity.

Note that session idle timeout can only be used in realms configured for server-side sessions.

  1. In the AM admin UI, go to Realms > Realm Name.

  2. Select Services.

  3. Select Session.

  4. On the Maximum Time Idle property, configure a value suitable for your environment.

  5. Save your changes.


1. This page pertains to sessions only, not authentication sessions.
Copyright © 2010-2023 ForgeRock, all rights reserved.