[Shib-Users] Extending lifetime of Shibboleth2 sessions to infinite

4 views
Skip to first unread message

Flavia Donno

unread,
Mar 5, 2010, 8:38:31 AM3/5/10
to shibbole...@internet2.edu
Hello,
On our servers currently Shibboleth2 sessions expire after a day or
less. We need to make Shibboleth2 sessions "permanent". We tried to make
the following changes in /etc/shobboleth/shibboleth2.xml:

1. changed the Sessions lifetime to 0, which should mean sessions do not
timeout except in the case of long inactivity (it used to work with
Shibboleth 1)
2. changed the Sessions timeout to 604800 and the SessionCache
cacheTimeout also to 604800, which should mean sessions only timeout if
there is no activity for a week
3. restarted shibd to pick up the above changes to the cache timeout

However, this does not appear to have made any difference.

Can you please advice on how we can extend the Shobboleth session lifetime?

Thanks.

Flavia Donno
CERN/IT

Peter Schober

unread,
Mar 5, 2010, 8:45:04 AM3/5/10
to shibbole...@internet2.edu
* Flavia Donno <Flavia...@cern.ch> [2010-03-05 14:39]:

> 1. changed the Sessions lifetime to 0, which should mean sessions do not
> timeout except in the case of long inactivity (it used to work with
> Shibboleth 1)
> 2. changed the Sessions timeout to 604800 and the SessionCache
> cacheTimeout also to 604800, which should mean sessions only timeout if
> there is no activity for a week
> 3. restarted shibd to pick up the above changes to the cache timeout

Did you try looking at the documentation?
https://spaces.internet2.edu/display/SHIB2/NativeSPSessions

* lifetime (time in seconds) (defaults to 28800)
o Maximum duration in seconds that a session maintained by
the SP will be valid. The actual time may be less than this
value (if an IdP indicates it should be shorter) but will
never be longer. Note that this will not influence sessions
maintained by an application.

* timeout (time in seconds) (defaults to 3600)
o Maximum inactivity allowed between requests in a session
maintained by the SP. This inactivity applies only to
requests to this SP and is not aware of activity between the
browser and other web sites (or even other applications on
this system). A value of 0 disables timeout checking.

So you want timeout="0" to disable timeout checking, and
lifetime="604800" or whatever for loooong sessions.
-peter

Scott Cantor

unread,
Mar 5, 2010, 10:00:43 AM3/5/10
to shibbole...@internet2.edu
> On our servers currently Shibboleth2 sessions expire after a day or
> less. We need to make Shibboleth2 sessions "permanent".

Peter answered this (you have the settings exactly backwards, basically),
but you can't make them permanent, only impervious to timeout. There's
always a maximum lifetime, though it can be very long.

-- Scott


Reply all
Reply to author
Forward
0 new messages