There are a number of different session timeouts you can set; this article focuses on setting session timeouts at a global level.
It is not possible to set global session timeouts in AM 7.x via ssoadm; this is a known issue: OPENAM-18304 (Cannot set session-max-session-time with ssoadm using set-attr-defs). You can either use the console to set global session timeouts or set them at the realm level as detailed in How do I configure realm level session timeouts in AM (All versions)?
There are two global session timeouts: Maximum Session Time, which is the maximum number of minutes that a session can remain active before a user is required to re-authenticate and Maximum Idle Time, which is the maximum number of minutes that a session can be idle before a user must re-authenticate.
You can configure the global session timeouts using either the console or ssoadm:
- Console: navigate to: Configure > Global Services > Session > Dynamic Attributes and enter the required number of minutes for the maximum session time and / or maximum idle time.
- ssoadm: enter the following command for maximum session time: $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u [adminID] -f [passwordfile] -a iplanet-am-session-max-session-time=[minutes]replacing [adminID], [passwordfile] and [minutes] with appropriate values.
- ssoadm: enter the following command for maximum idle time: $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u [adminID] -f [passwordfile] -a iplanet-am-session-max-idle-time=[minutes]replacing [adminID], [passwordfile] and [minutes] with appropriate values.
There is no recommended value for these session timeouts as they depend on your requirements and configuration. For a combination of security and convenience, you should consider setting the maximum session time to a higher value and the maximum idle time to a relatively low value. From a performance perspective, the maximum session time has to be considered when setting the maximum number of sessions. Unless your sessions expire quickly, you will probably need to set a higher limit for active sessions; the number of sessions is relative to the amount of memory being used, which means you need to adjust the Java™ Virtual Machines (JVM) heap size accordingly.