Session Services
Contents
casso1283
Contents
Sessioning is used to maintain consistent user sessions across multi-tiered application environments.
AgentAPI methods that implement session services are:
- login()
- logout()
Agents that perform session management use the sessioning services of the Java Agent API to create, delegate, validate, and terminate user sessions.
For login and logout of
SiteMinder
administrators for Policy Server or DMS sessions, use the methods SmApiSession.login() and SmApiSession.logout() in the Utility package. Session Creation and the Session Specification
A session is created after a successful user login. Once created, a user session persists until it is terminated.
When a user is authenticated, the Policy Server issues a
session specification
. A session specification contains information about the user.User-side session persistence in a multi-tiered application environment is accomplished by saving and maintaining the user information in the session specification. This session specification represents a user session. It is the key to
SiteMinder
session management.The
SiteMinder
environment where the user session was created is responsible for the creation, maintenance, and persistent storage of the session specification. For example, the Web Agent (HTTP environment) stores the session specification in an HTTP cookie.Agents create sessions using login(). This method authenticates the user credentials and gets the information for session specification (including the unique session id). Once created, the session specification is updated on subsequent Java Agent API calls that also return updated expiration times. Agents can use this information to perform custom session management and keep track of session timeouts.
If your Web server’s user-tracking feature is enabled, the
SiteMinder
Policy Server issues an identity ticket
in addition to the session specification. Identity tickets can be used for identity-based personalization when a user is accessing a resource protected by anonymous authentication schemes. Identity tickets never expire.Another important feature that is seamlessly integrated with the sessioning mechanism is the
SiteMinder
universal ID
. A universal ID identifies the user to an application in a SiteMinder
environment through a unique identifier, such as a social security number or customer account number. The universal ID facilitates identification of users between old and new applications by delivering the user’s identification automatically, regardless of the application. Once configured on the Policy Server, a user’s universal id becomes part of the session specification and is made available to agents for the duration of the entire session.Session Validation
Agents request validation of a session specification to make sure that a user session has neither expired nor been terminated or revoked. This can occur at any time during the session’s lifetime. Agents call AgentAPI.login() to validate a session specification.
Session Delegation
When an application’s logic flow crosses application tiers, sessions may be delegated by passing the session specification between two agents. Each agent can choose to have the session specification validated.
Session Termination
A session is terminated in any of the following ways:
- After a user logs outs and the agent discards the session specification
- When the session expires
- When the session is revoked
- When the user account is disabled
To terminate a session, the agent must discard the session specification. Once a session is terminated, the user must log in again to establish a new session.