Sessions

LL::NG rely on a session mechanism with session ID as shared secret between the user (in SSO cookie) and the session database.

To configure sessions, go into Manager, General Parameters » Sessions:

  • Store user password in session data: see password store documentation.
  • Sessions timeout: Maximum lifetime of a session. Old sessions are deleted by a cron script.
  • Sessions activity timeout: Maximum inactivity duration.
  • Sessions update interval: Minimum interval used to update session when activity timeout is set.
Session activity timeout requires Handlers with write access to sessions database.
  • Opening conditions: rules which are evaluated before granting session. If a user does not comply with any conditions, he is prompted by a customized message. That message can contain session data like user attributes or macros. Conditions are checked by comment alphabetical order.
  • Sessions Storage: you can define here which session backend to use and backend options. See sessions database configuration to know usable modules. Here are some global options that can be used with all session backends:
    • generateModule: allows one to override the default module that generates sessions identifiers. For security reasons, we recommend to use Lemonldap::NG::Common::Apache::Session::Generate::SHA256
    • IDLength: length of sessions identifiers. Max is 32 for MD5 and 64 for SHA256
  • Multiple sessions, you can restrict the number of open sessions:
    • One session only by user: a user can not open 2 sessions with the same account.
    • One IP only by user: a user can not open 2 sessions with different IP.
    • One user by IP address: 2 users can not open a session with the same IP.
    • Display deleted sessions: display deleted sessions on authentication phase.
    • Display other sessions : display other sessions on authentication phase, with a link to delete them.
  • Persistent sessions, you can specified session backend and options. Persistent sessions are used by portal to store login history, second factor devices and Service Provider consents.
Note that since HTTP protocol is not connected, restrictions are not applied to the new session: the oldest are destroyed.