Session Management in IAM – Identity Security
Introduction to User Session Management
A user’s interaction with an application over a period of time is known as a session. Applications need a way to track users that have been authenticated and the session may contain data about the authenticated user so session management is very important. Sessions usually has start and end time (lifetime) so every session must have an idle time and maximum timeout and after this time session will expire and will not be valid.
Application Sessions
Applications need to track session information such as authenticated identity and usually a unique identifier is created for every session.
In web applications, session information is stored in cookies set by application server.
For native web applications session information is stored in browser or local storage and it’s important not to store sensitive information in the client side.
For sessions that stored in the server side, it consumes resources and if user left the session active and the client loses its connection to the server, server resources will be wasted.
Idp Identity Provider Sessions
An Identity Provider (IdP) is a service that stores and verifies user identity, and applications rely on it to delegate the identity management function (authentication and authorization).
When an application relies on Idp user will have 2 sessions, one with the application and the second one is associated with the identity provider.
Session Features
Session Duration
Idle session timeout
It’s the time identified that a user keep logged in without doing any activity and after this time, user session will expire and user will be logged out. Idle timeout will reset every time user interacts with the application.
And usually users will get a warning that session will expire in xx seconds if no activity.
Session Timeout
The maximum time that is configured by server for session lifetime and after this time user have to reauthenticate.
Session timeout will differ based on application sensitivity.
ex: social media app may never expire but banking application can have a short session timeout.
Session timeout also can be infinite and the limiting factor can be the idle timeout, so if user keeps active session will never expire.
Session Renewal
When application session is expired, application will redirect the user to reauthenticate.
Then, user will enter credentials again, but application maybe relying on 3rd party for authentication (Idp) identity provider which manage authentication for the application.
Token Renewal
Tokens are different from sessions, token is used by application to call APIs on behalf of user and do activities in the background without user interruption.
It’s considered best practice to have a short expiration for tokens so new tokens will be needed within an existing session.
When a token is expired, application may redirect the user to the Idp for authentication, if the user session is already active the Idp will automatically send a new token to the application without user interruption.
But if the session is not active, user will be redirected and will reauthenticate by entering credentials.
Re-Constituted Sessions
It’s disruptive for users to have their session timeout frequently specially in heavily used applications.
An application that needs a frequent session timeout and falls in the category in this category may want to provide an enhanced user experience by offering session that can be reconstituted after session timeout.
With this scheme, upon session timeout, application invalidates the session for further use but retains a memory of the session and the identity associated with it, so session can be restored to its state if the user actively reauthenticates.
Application Sessions vs Idp Identity Provider Sessions
Aspect | Application Sessions | IdP Sessions |
---|---|---|
Definition | Application sessions refer to the user’s session within a specific web application. | IdP sessions represent the user’s session at the Identity Provider (such as Okta, Auth0, or an SSO system). |
Purpose | Tracks user interactions within the application (e.g., maintaining state, user preferences, and context). | Manages user authentication, identity, and access across multiple applications. |
Creation Point | Created by the application after successful user authentication. | Created during primary authentication with the IdP (e.g., username/password verification). |
Storage Location | Stored within the application (e.g., server memory, cookies, or database). | Tracked by the IdP (often via session cookies set on the IdP domain). |
Lifespan | Application-specific (controlled by the application’s session timeout settings). | Typically longer-lived (controlled by the IdP’s policies and user activity). |
Authentication Dependency | Requires successful authentication with the IdP to create an application session. | Primary authentication with the IdP establishes the IdP session. |
Tokens | Receives tokens (e.g., access tokens, ID tokens) from the IdP upon successful authentication. | Manages tokens (e.g., refresh tokens) for token-based authentication. |
Refresh Tokens | Refresh tokens are used to keep the application session alive without reauthentication. | Refresh tokens allow obtaining new tokens without user interaction. |
Silent Renewal | Can silently renew tokens using refresh tokens (if available). | May perform silent or redirect-based token renewals to extend session validity. |
Summary
Effective session management is crucial for maintaining security and resource efficiency in applications. By understanding session lifetimes, idle timeouts, and the role of identity providers, developers can create robust systems that balance user convenience with safeguarding sensitive information. Remember to communicate session expiration warnings to users, ensuring a seamless experience while protecting their data.