Tagged: 

This topic has 3 replies, 3 voices, and was last updated 6 years, 4 months ago by Peter Major.

  • Author
    Posts
  • #10798

    We are using the stateful sessions. When we call the OpenAM’s token refresh Rest API, idle time is getting reflected/updated but it seems that token is not getting changed on refresh. Isn’t the token supposed to be changed when token is refreshed for its idle time in the backend?

    Is that true that in stateful world will we have the same token through out the life of the session?

    Thanks,
    Anji.

    #10840
     Scott Heger
    Participant

    The token itself will not change as that is the reference to the session that is kept by OpenAM. When you send “refresh=true” you only reset the idle time. The overall session time is not changed and the session itself nor the token is not changed.

    #10888

    Thanks Scott. So you say that actual token string will not be changed on refresh but it the idle time will be reset in the openAM session to keep it alive. So this means that Token(actual string I mean) will remain constant for for its life time then.

    I was reading some articles saying that it is good idea to change the token string every time it is touched for policy evaluation. I am not very sure if there is any driving factor to keep the token constant in its entire session life.

    Please confirm.

    #10934
     Peter Major
    Moderator

    Regardless of using stateful or stateless sessions, the session ID will remain the same throughout its lifetime. Resetting the idle timeout is an operation that changes the session itself, but not the session ID.
    The session ID only changes if the session gets upgraded (e.g. when authenticating with a new authentication module to gain elevated privileges).

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?