Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Session quotas not limiting active user sessions in AM (All versions) when persistent cookies are used

Last updated Apr 13, 2021

The purpose of this article is to provide information when session quotas do not appear to be limiting the number of active user sessions in AM when persistent cookies are used.


1 reader recommends this article

Symptoms

The number of active sessions per user appears to exceed the number specified in Active User Sessions.

Recent Changes

Configured session quotas with Resulting behavior if session quota exhausted option set to anything other than DENY_ACCESS.

Enabled persistent cookies.

Causes

The persistent cookie feature enables a previously destroyed session to be resumed by refreshing the browser. When used in conjunction with session quotas, it can appear that there are more sessions than the quota should allow. In fact, each time a session is resumed using refresh, a session in another browser is destroyed, thereby maintaining the quota; as this all occurs seamlessly, it can appear that there are endless sessions, but actually the number of active sessions never exceeds the limit specified.

Solution

The functionality is working correctly and sessions are limited as per the session quota.

See Also

Security Guide › Configuring Session Quotas

Authentication and Single Sign-On Guide › Persistent Cookie Module

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.