Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

401 Unauthorized: Session has timed out response when authenticating to AM (All versions)

Last updated Nov 3, 2021

The purpose of this article is to provide assistance if you receive a "Session has timed out" response when authenticating to AM. This error can occur when the session times out before the authentication process has completed, or when you are using module-based authentication and have a multi-server setup in a load balanced environment that does not use session stickiness (amlbcookie).


2 readers recommend this article

Symptoms

The browser stops responding after the user enters their credentials.

One of the following responses is shown if you use a REST call or examine network traffic using your browser's Developer Tools depending on the authentication method and AM version:

  • Authentication trees (AM 6.5.3 and later) and modules (All versions):{"code":401,"reason":"Unauthorized","message":"Session has timed out","detail":{"errorCode":"110"}}
  • Authentication trees (Pre-AM 6.5.3):{"code":400,"reason":"Bad Request","message":"Authentication Error: Authentication timeout."}

The corresponding error is shown in the Authentication debug log:

Caused by: com.sun.identity.authentication.service.AuthException: Session has timed out|session_timeout.jsp    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:284)     at org.forgerock.openam.core.rest.authn.core.wrappers.CoreServicesWrapper.getAuthContext(CoreServicesWrapper.java:51)     at org.forgerock.openam.core.rest.authn.core.LoginAuthenticator.getAuthContext(LoginAuthenticator.java:207)     at org.forgerock.openam.core.rest.authn.core.LoginAuthenticator.getLoginProcess(LoginAuthenticator.java:92)     at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:212)  ... 83 more  Caused by: com.sun.identity.authentication.service.AuthException: Session has timed out|session_timeout.jsp

Recent Changes

Implemented or changed your load balancing configuration so that it does not have session stickiness.

Causes

This error can occur in the following scenarios:

  • The session times out before the authentication process is completed.
  • You are using module-based authentication without sticky load balancing. This may be a single module or multiple modules in a chain.

Sticky load balancing is a requirement in AM for all module-based authentication scenarios as noted in the following known issues: OPENAM-12675 (One-step authentication in a cluster requires sticky load balancing) and OPENAM-8336 (XUI+REST authentication with chains must have sticky load balancing). Without sticky load balancing, the load balancer may not send the request to the right AM server, which causes this error.

Solution

This issue can be resolved using one of the following options depending on the scenario being encountered and your environment:

The session times out before the authentication process is completed

You can increase the login page session timeouts if required as detailed in the following articles:

You are using module-based authentication without sticky load balancing

  • Implement sticky load balancing using the amlbcookie. See FAQ: Cookies in AM for further information on using the amlbcookie for load balancing.
  • Use Active/Passive configuration for the AM nodes; providing each node can handle the traffic volume, you will still have failover but ensure traffic is routed to the correct server.
  • Migrate to authentication trees and configure the storage location for authentication sessions so they are not stored in memory. See the following links for further information:

See Also

Cookies in AM

Load Balancers

Choosing Where to Store Sessions

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.