Solutions

Sessions in AM/OpenAM (All versions) exceed the session quota limit without expiring

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if you notice that sessions in AM/OpenAM are not expiring, meaning the total number of sessions for a user can exceed the session quota limit. This can happen when the session quota behavior is set to DESTROY_NEXT_EXPIRING (default setting), DESTROY_OLDEST_SESSION or DESTROY_LAST.


Symptoms

There are two notable symptoms associated with this issue:

  • An individual user can have more concurrent sessions than are permitted, where some of the sessions have an idle time that exceeds the idle timeout limit. This can be seen in the console or using other session monitoring methods as detailed in How do I monitor session statistics in AM/OpenAM (All versions)? Although these sessions are visible in the console, the amadmin user may not always be able to invalidate them. This issue with concurrent sessions can also cause SAML requests to fail, where concurrent requests are received.
  • Old sessions are not expired as expected. You will intermittently see one of the following messages in your browser or in response to a REST call, even though the sessions should be destroyed automatically to prevent the maximum number being reached:
    Maximum Sessions Limit Reached
    
    Maximum sessions limit reached or session quota has exhausted
    
    Retrying often resolves it and allows you to log in.

You will also witness this behavior in the logs. The following examples show the type of errors you may see depending on your setup / use cases:

  • amAuthentication.error log:
    "2017-05-03 11:42:12" "Maximum Sessions Limit Reached." 198.51.100.0 "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" id=jdoe@example.com,ou=user,ou=employees,dc=openam,dc=forgerock,dc=org "Not Available" nasacom "Not Available" ou=employees,dc=openam,dc=forgerock,dc=org INFO 198.51.100.0 AUTHENTICATION-200
    
  • Authentication debug log:
    amAuth:04/05/2017 11:32:54:495 AM GMT: Thread[ajp-apr-8009-exec-220,5,main]
    Error message is : Maximum Sessions Limit Reached.
    amAuthUtils:04/05/2017 11:32:54:495 AM GMT: Thread[ajp-apr-8009-exec-220,5,main]
    URL name : PostProcessLoginFailureURL Value : Not set - null or empty string
    amAuth:04/05/2017 11:32:54:495 PM GMT: Thread[ajp-apr-8009-exec-220,5,main]
    processURL : null
    amAuthREST:04/05/2017 11:32:54:495 PM GMT: Thread[ajp-apr-8009-exec-220,5,main]
    AuthenticationService.authenticate() :: Rest Authentication Exception
    org.forgerock.openam.forgerockrest.authn.exceptions.RestAuthErrorCodeException: Maximum Sessions Limit Reached.
       at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:284)
       at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:251)
       at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:160)
       at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.initiateAuthentication(RestAuthenticationHandler.java:93)
       at org.forgerock.openam.forgerockrest.authn.restlet.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:133)
    
  • Session debug log:
    amSession:05/04/2017 10:48:39:378 AM EST: Thread[http-0.0.0.0:8080-1,5,main]
    SessionConstraint.checkQuotaAndPerformAction: Session quota exhausted.
    
    
    amSession:05/04/2017 10:49:18:378 AM EST: Thread[http-0.0.0.0:8080-1,5,main]
    Failed to destroy the next expiring session.
    com.iplanet.dpro.session.SessionException: Session is in a destroyed state
       at com.iplanet.dpro.session.Session.getSession(Session.java:1170)
       at com.iplanet.dpro.session.Session.getSession(Session.java:1133)
       at com.iplanet.dpro.session.Session.getSession(Session.java:1118)
    
    
  • Federation debug log:
    libSAML2:05/04/2017 10:45:02:306 PM GMT: Thread[http-nio-8080-exec-34,5,main] 
    ERROR: spAssertionConsumer.jsp: SSO failed. 
    com.sun.identity.saml2.common.SAML2Exception: Login Failed 
    Maximum Sessions Limit Reached.|maxSessions.jsp 
       at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1328) 
       at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:255) 
    
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) 
       ...
    Caused by: com.sun.identity.plugin.session.SessionException: Login Failed 
    Maximum Sessions Limit Reached.|maxSessions.jsp 
       at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:285) 
       at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1307) 
    ... 35 more 
    Caused by: com.sun.identity.authentication.spi.AuthLoginException: Login Failed 
    

Recent Changes

Enabled session quota constraints.

Changed the session quota behavior to DESTROY_NEXT_EXPIRING (default setting), DESTROY_OLDEST_SESSION or DESTROY_LAST.

Causes

Concurrent attempts to authenticate are not subject to quota constraints. These concurrent attempts can originate from either a single server or a multi-server deployment.

This issue happens because the time interval to persist the session in CTS (and get it replicated to other CTS instances) is longer than a second instance trying to query for active sessions. The session quota is always checked before activating a new session, so if the session hasn't been persisted to another CTS instance by the time the check is done, then it is possible to exceed the session quota.

Solution

This issue can be resolved by upgrading to AM 5.5 and later, or OpenAM 13.5.1; you can download this from BackStage.

Note

This is an interim fix in AM 5.5.x and OpenAM 13.5.1; it is still possible to exceed the quota constraints set but AM/OpenAM will recover properly when a new authentication attempt is made.

Workaround

A suggested workaround for this issue is to set the session quota behavior to DESTROY_OLD_SESSIONS; once the session quota is reached, this option invalidates all previous sessions and resets the session count to 0.

See Also

Session quotas not limiting active user sessions in AM/OpenAM (All versions) when persistent cookies are used

How do I monitor session statistics in AM/OpenAM (All versions)?

Authentication and Single Sign-On Guide › Introducing Authentication and Single Sign-On › Session Quotas

Related Training

N/A

Related Issue Tracker IDs

OPENAM-10332 (Quota constraints exceeded - Interim Fix)

OPENAM-5864 (Quota constraints exceeded in multi-instance with LB and CTS enabled)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...