401 Unauthorized: Session has timed out response when authenticating to AM (All versions)

Symptoms

The browser stops responding after the user enters their credentials. 

The following response is shown if you use a REST call or examine network traffic using your browser's Developer Tools:

{"code":401,"reason":"Unauthorized","message":"Session has timed out"}

The corresponding error is shown in the Authentication debug log:

Caused by: com.sun.identity.authentication.service.AuthException: Session has timed out|session_timeout.jsp 
   at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:284) 
   at org.forgerock.openam.core.rest.authn.core.wrappers.CoreServicesWrapper.getAuthContext(CoreServicesWrapper.java:51) 
   at org.forgerock.openam.core.rest.authn.core.LoginAuthenticator.getAuthContext(LoginAuthenticator.java:207) 
   at org.forgerock.openam.core.rest.authn.core.LoginAuthenticator.getLoginProcess(LoginAuthenticator.java:92) 
   at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:212) 
... 83 more 
Caused by: com.sun.identity.authentication.service.AuthException: Session has timed out|session_timeout.jsp 

Recent Changes

Upgraded to, or installed AM 5 or later.

Implemented or changed your load balancing configuration so that it does not have session stickiness.

Causes

Sticky load balancing is a requirement in AM for all module-based authentication scenarios as noted in the following known issues: OPENAM-12675 (One-step authentication in a cluster requires sticky load balancing) and OPENAM-8336 (XUI+REST authentication with chains must have sticky load balancing). Without sticky load balancing, the load balancer may not send the request to the right AM server, which causes this error.

Solution

This issue can be resolved using one of the following options as appropriate to your environment:

• Implement sticky load balancing using the amlbcookie. See FAQ: Cookies in AM/OpenAM for further information on using the amlbcookie for load balancing.
• Use Active/Passive configuration for the AM nodes; providing each node can handle the traffic volume, you will still have failover but ensure traffic is routed to the correct server.
• Upgrade to AM 6 or later; you can download this from BackStage. You can then migrate to authentication trees and configure the storage location for authentication sessions so they are not stored in memory. See the following links for further information: 
  • AM 6 Release Notes › New Features (Distributed Login)
  • Best practice for migrating Authentication Chains to Trees in AM 6.x

See Also

Required callback not found in JSON response when authenticating to AM/OpenAM (All versions)

Cookies in AM/OpenAM

Installation Guide › Installing and Starting Servers › Configuring Load Balancing for a Site

Authentication and Single Sign-On Guide › Choosing Where to Store Sessions

Related Training

N/A

Related Issue Tracker IDs

OPENAM-12675 (One-step authentication in a cluster requires sticky load balancing)

OPENAM-8336 (XUI+REST authentication with chains must have sticky load balancing)