Session and Cookie

Prev Next

Maverics sessions include user attributes and orchestration context used to extend cloud identity services to other apps.

Note: Federated identity providers (IDPs) may still hold their own active sessions, which can allow users to re-authenticate silently. To fully log users out across all IDPs, refer to the single logout configuration.

The following parameters for sessions are set in Deployments under Orchestrator Settings.

Session

Field

Description

Max Lifetime Seconds

This field represents the maximum number of seconds that can elapse post-authentication before the session’s authentication state becomes invalid.

Evaluate Session Lifetime Service Extension

Optional

This field enables you to determine how sessions reaching their max lifetime are handled. The Maximum Lifetime Seconds value is still used for individually expiring attributes.

Note: You must have an existing Evaluate Session Maximum Lifetime Service Extension configured.

Idle Timeout

Optional

This field represents the number of seconds a session may remain idle before timing out. If no value is set, or IdleTimeout is set to 0, then the session idle timeout is disabled.

Evaluate Session Lifetime Service Extension

Optional

This field enables you to determine how session idle timeouts are handled. If this Service Extension is defined,  the Idle Timeout value is ignored. Note: You must have an existing Evaluate Session Idle Timeout Service Extension configured.

Cache Size

Optional

This field limits the number of sessions maintained in memory. Defaults to 50,000 sessions.

Cookie Settings

  • Domain: (Optional) This field specifies the hosts to which the session cookie will be sent.

  • Name: A friendly name for the cookie.

  • Disable HTTPOnly Attribute: (Optional) This field toggles the HTTPOnly cookie attribute for the session. If disabled, the session cookie will not have the HttpOnly attribute, allowing the cookie to be accessed via client side scripts

  • Disable Secure Cookie Attribute: (Optional) This field toggles the Secure cookie attribute. If disabled, the session cookie will not have the Secure attribute, allowing the browser to send the cookie over an unencrypted HTTP request.