configure session lifetime with session quota

This topic has 1 reply, 2 voices, and was last updated 6 days, 12 hours ago by Jatinder Singh.

  • Author
    Posts
  • #27736
     ranjit
    Participant

    Hi,

    My mobile app has gotten 3 tokens (id, access and refresh) from FR after authenticating with FR through web-view opened from mobile-app with the help of AppAuth library.
    This resulted into server-side session in FR whose expiry time is 120 min.

    Once 120 min. are elapsed my understanding is FR does not have any information about this session.
    However, my mobile app will still keep working and keep getting new access-tokens by exchanging refresh tokens without any problem as long as those tokens are not expired. All tokens are CTS-based (i.e., server-side)

    If I am correct so far then I have one question.
    If I have configured the session limit of 1 session per user, then is it fair to say that after 120 min. (when the session expires) I am free to open the same mobile app from another phone and sign-into using the SAME ID ?
    Basically, now user can work from 2 phones.

    Thanks.

    #27758
     Jatinder Singh
    Participant

    Yes, after 120 mins the user would be able to sign-in using the same user id on a different device. That said, the same user can still login from a different device within the 120 mins window – but in that case a new session will be created destroying the old session. There are different configurations available for the session quota feature.

    Deny Access. New session creation requests will be denied.
    Destroy Next Expiring. The session that would expire next will be destroyed.
    Destroy Oldest. The oldest session will be destroyed.
    Destroy All. All previous sessions will be destroyed.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?