How to configure session time out in WSO2 Identity Server (WSO2IS)

I have seen many queries on configuring SSO session time out in WSO2IS. First, you need to understand that WSO2IS creates separate SSO session for SSO login and it is different from the session which is created when you are login to WSO2IS management console.

Let see how you can configure the SSO session time out with WSO2IS.

When end user login through WSO2IS for service provider application (Using SAML2 SSO, Openid, Openid Connect, Passive STS and etc ), WSO2IS creates a SSO session for end user and a cookie which is related to the created SSO session, is set in to the user’s browser.

This cookie can be seen as “commonauthId“. It is set in to the user’s browser with the hostname of WSO2IS instance and the value of the “commonauthId” cookie is the SSO session identifier.
When SSO session is created in WSO2IS, session is put in to the session cache and persist it in to the database. To persist it in to the database, you must enable the session persistence


Why it is important to persist the SSO session ?


SSO sessions have been stored in a in-memory cache. It is recommend to persist the SSO session due to following reasons.

1. If you are running single WSO2IS instance. If server is restarted, all SSO session would be removed. If you have multiple nodes of WSO2 instances, It is not guarantee that you can recover all the sessions. Although cache is distributed, it is not 100% split to each nodes.

2. Cache has a limit. If there are large number SSO sessions, memory can be high and server performance may reduce. So; usually cache is evicted after given number of entries (by default 10000 entries). Therefore, some SSO session can be evicted from caches when there are large number of user logins.

3. When there is a clustered development; If you have no persistence, you need to 100% rely on the distributed cache. But if you have persistence, you can rely on it as well which increases the reliability of the overall system.


How to enable session persistence ?


You can enable it using following property in identity.xml file.


After WSO2IS 5.1.0, it has been enabled by default.


How to disable and configure session cache ?


If you need, you have flexibility to configure session cache using identity.xml file.


You can enable/disable it and configure the cache capacity (capacity which eviction starts in caching)


How to configure SSO session time out ?


WSO2IS contains a idle session time out for SSO sessions. You can configure the idle time out value. By default, it is set to 15min. It means that if WSO2IS does not received any SSO authentication request for 15min for given user, SSO session would be timeout.

If you are using WSO2IS 5.1.0. you can configure it using following property in repository/conf/identity/identity.xml file


If you are using WSO2IS 5.0.0, you can configure it using following property in repository/conf/tomcat/carbon/WEB-INF/web.xml file


You can configure this for higher value in a real deployment. Default 15min is not enough for usual SSO login.


How remember me works ?


If you check the “commonauthid” cookie, cookie’s expiry time is set to “At end of session”. It means that if you close the browser/restart your machine, cookie would be removed. So; when you close you browser after SSO login, Your SSO session in WSO2IS would be invalidated.

Therefore; if you need to remember the SSO session, you need to tick on the Remember Me option in WSO2IS login page. Then “commonauthid” cookie is set with some defined expiry value. Then cookie will contain in the browser till it expired.

Expiry time of the “commonauthid” cookie, can be configured from following property.

If WSO2IS 5.1.0 using repository/conf/identity/identity.xml file


If WSO2IS 5.0.0 using repository/conf/identity.xml file


It is set to 14 days (2 weeks) by default.


What is session persistence time out ?


You can find the session cleanup time out configuration in the identity.xml file. This value is used to find out the timeout sessions which must be needed to remove from database.

If WSO2IS 5.1.0 repository/conf/identity/identity.xml file


If WSO2IS 5.0.0 repository/conf/identity.xml file


It is important to configure higher value for this. Basically; this value must be larger than idle session time out and remember me time out value.

Thanks for reading..!!!