The Session Management system provides enterprise-grade session security for mission-critical applications. Maverics sessions are comprehensive containers that hold the complete user context needed for identity orchestration.
A Maverics session encompasses the user’s authentication state, attributes retrieved from multiple identity sources (like Active Directory, databases, or APIs), and any metadata associated with the user’s journey through your applications. Think of it as a secure, ephemeral server-side profile that aggregates everything needed to make intelligent access decisions across your entire infrastructure.
This comprehensive approach enables identity orchestration across hybrid and cloud environments. Organizations can extend cloud identity services like Azure AD to protect legacy on-premises applications, gradually migrate users from outdated identity systems to modern platforms, and create seamless single sign-on experiences that span completely different technologies. Sessions bridge the gap between disparate identity systems while maintaining both security and user experience.
Security Features
Cryptographically Secure Session Identifiers
Session identifiers are generated using a cryptographically secure random number generator (CSPRNG) with 256-bit entropy. This provides:
2256 possible session IDs - making brute force attacks computationally infeasible
Exceeds OWASP recommendations - OWASP requires minimum 64-bit entropy; Maverics has 256-bit entropy
Zero predictability - each session ID is completely independent and unpredictable
Session Cookie Security
By default, all session cookies are configured with maximum security settings:
Session Cookies Only - Cookies are automatically deleted when the browser closes (MaxAge = 0)
HTTPS Only (Secure flag) - Cookies are only transmitted over encrypted connections
HttpOnly Protection - Prevents client-side JavaScript access to session cookies
SameSite=None - Enables secure cross-site authentication flows while maintaining protection
These settings help protect against:
Session hijacking via network interception
Cross-site scripting (XSS) attacks
Cross-site request forgery (CSRF) attacks
Session fixation attacks
Default Session Lifetime
Sessions are configured with secure default timeouts:
Maximum Session Lifetime: 24 hours
Idle Timeout: Disabled by default (can be configured)
Automatic Cleanup: Expired sessions are automatically purged from the backing storage service
This balances security with user experience, ensuring sessions don’t persist indefinitely while minimizing authentication friction for legitimate users.
Session Termination
The Orchestrator can explicitly terminate user sessions to ensure immediate security enforcement and compliance requirements.
Immediate Effects
All session data is deleted - User attributes, authentication state, and metadata are removed from the session store
Session cookie is invalidated - The user’s browser receives an expired cookie that will be automatically discarded
User access is revoked - Any subsequent requests using the terminated session will be denied and end-users will send users back through the authentication and authorizations flows.
Common Termination Scenarios
Session termination occurs automatically in several situations:
User logout - When users explicitly sign out through your application
Timeout expiration - Sessions that exceed maximum lifetime or idle timeout limits
Security Benefits
Explicit session termination provides immediate security enforcement:
Rapid response to security incidents - Compromised accounts can be immediately secured
Compliance requirements - Meet regulatory standards requiring immediate access revocation
Zero-trust enforcement - Ensure users must re-authenticate after privilege changes
Clean session state - Prevents stale authentication data from affecting future access decisions
Session Cookie
The Orchestrator uses a non-persistent session cookie to maintain an end-user’s state. The lifetime of the cookie is determined by the configured maximum lifetime and idle timeout values.
The session cookie is an opaque cookie that contains only a session identifier. The session identifier is generated using a cryptographically secure random number generator with 256-bit entropy. All other session state is maintained on the Orchestrator server rather than being stored in the cookie itself.
A session cookie should be treated like a secret and not shared. If a malicious actor obtains a session cookie, they could potentially impersonate the authenticated user.
Key characteristics of the Maverics session cookie:
Opaque identifier only - No sensitive data stored in the cookie
Server-side state management - All user attributes and session data stored securely on the server
Cryptographically secure generation - 256-bit entropy ensures unpredictable session identifiers
Configurable cookie attributes - Security settings can be customized while maintaining best practices
Configuration
Maverics sessions include user attributes and orchestration context used to extend cloud identity services to other apps.
Note: Federated identity providers (IDPs) may still hold their own active sessions, which can allow users to re-authenticate silently. To fully log users out across all IDPs, refer to the single logout configuration.
The following parameters for sessions are set in Deployments under Orchestrator Settings.
Session
Field | Description |
|---|---|
Max Lifetime Seconds | This field represents the maximum number of seconds that can elapse post-authentication before the session’s authentication state becomes invalid. |
Evaluate Session Lifetime Service Extension Optional | This service extension point enables you to customize how sessions reaching their max lifetime are handled. The Maximum Lifetime Seconds value is still used for individually expiring attributes. |
Idle Timeout Optional | This field represents the number of seconds a session may remain idle before timing out. If no value is set, or IdleTimeout is set to 0, then the session idle timeout is disabled. |
Evaluate Session Idle Timeout Service Extension Optional | This service extension point enables you to customize how session idle timeouts are handled. If this Service Extension is defined, the Idle Timeout value is ignored. |
Cache Size Optional | This field limits the number of sessions maintained in memory. Defaults to 50,000 sessions. |
Cookie Settings
Field | Description |
|---|---|
Domain | This field specifies the hosts to which the session cookie will be sent. |
Name | A friendly name for the cookie. |
Disable HTTPOnly Attribute Optional | This field toggles the HTTPOnly cookie attribute for the session. If disabled, the session cookie will not have the HttpOnly attribute, allowing the cookie to be accessed via client side scripts. |
Disable Secure Cookie Attribute | This field toggles the Secure cookie attribute. If disabled, the session cookie will not have the Secure attribute, allowing the browser to send the cookie over an unencrypted HTTP request. |