| Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager 11g Release 1 (11.1.1) Part Number E15478-02 | 
 | 
| 
 | View PDF | 
This chapter describes session management concepts and procedures for Oracle Access Manager 11g. This chapter includes the following topics:
The requirements for tasks in this chapter include:
Reviewing "Introduction to User Sessions and Session Management"
Getting familiar with Chapter 4, "Managing OAM Server Registration"
Getting familiar with Chapter 2, "Getting Started with OAM Administration and Navigation"
Generally speaking, a user's visit to a Web site is referred to as a session. With Oracle Access Manager 11g, the user must be authenticated through Oracle Access Manager authentication services and must be accessing Oracle Access Manager-protected resources.
Oracle Access Manager 11g session management refers to the process of managing the lifecycle requirements of a user session, and notification of session events to enable global logout.
The Oracle Access Manager 11g Session Management Engine (SME) interfaces with the SSO engine, which acts as the controller for session events and notifications. SME services enable the automatic generation, update, and management of user session data and enable administrators to configure the session lifecycle and to locate and remove specific active sessions.
Note:
You can access resources protected by both registered OAM Agents and OSSO Agents during the same session.Session data storage must be chosen during Oracle Access Manager installation and configuration. The same storage mechanism applies to all servers in a cluster and can be changed after installation.
Session data is stored in multiple tiers to balance latency, availability, and resource consumption. These include:
The local in-memory cache of each managed Oracle Access Manager server.
This cache contains session data for use in active server requests. A short TTL is used to quickly evict data that is not currently used.
A distributed in-memory cache shared by all managed Oracle Access Manager servers.
This cache contains session data that has been serialized for management by Oracle Coherence. Using Coherence, session data is available to any managed server that an Agent can contact to make access requests involving a session. Coherence also replicates this data across the running servers to provide fault-tolerance. Entries in the distributed cache are evicted not based on a TTL, but overall cache memory size as applied on a per-machine basis.
If the maximum cache memory size is reached, one of two actions are taken:
If the session store is enabled, entries are evicted from the distributed cache to make room. They continue to exist in the database, and can be brought back into the distributed cache if needed.
If the session store is not enabled, as a fallback mechanism entries are written to a flat file on the local machine. As the number of entries in this file grows, along with their percentage of the total number of active sessions, performance will degrade accordingly.
Note:
When a user logs out, or when the session expires, session data is automatically deleted from the in-memory store. See "About the User Session Lifecycle", for more information.OAM 11g requires a database to store OAM policy data and (optionally) OAM user session data. The database provides fault-tolerance and scaleability for very large deployments (with hundreds of thousands of simultaneous logins).
The latest data is written to the session store with each session change (step-up authentication is one example of a session change). This is done asynchronously, and so does not affect latency for the request causing the session to be created or updated. Session data is available even if an unanticipated power failure occurs.
To store OAM session data requires the database session store extended with the OAM-specific schema:
Use RCU with the OAM-specific schema to set up a database as a policy and session data store.
Use the Oracle Access Manager with Database Policy Store configuration template to enable OAM to use the database as a policy and session data store.
Oracle Access Manager 11g uses Oracle Coherence to provide a distributed cache with low-data access latencies and to transparently move data between distributed caches (and into the session store). Session data is redundant across these tiers. For example, when a session is created, it then exists within the local cache on the server that created it, the distributed cache, and (if enabled) within the session store database as well. For more information, see "Oracle Coherence and Session Management".
Administrators can configure the user session lifecycle to define the maximum duration of a user session, the period of inactivity before the user must re-authenticate, and the maximum number of active sessions each user have. The session expiration configuration enables inter-operability with OSSO Agents (mod_osso), which are only visible to the server during user login and logout. For details, see "Configuring User Session Lifecycle Settings".
Each session is unique and is identified with both a userID and a sessionID to distinguish different sessions for the same user. Administrators can find and delete one or more active sessions for a particular user or for all users. For example, a user with too many open sessions can contact the administrator and request that some or all of his sessions be removed so he can start fresh. For more information, see "Managing Active User Sessions".
User session lifecycle settings can be defined using the OAM Administration Console. The WebLogic Scripting Tool does not include options for session management.
The lifecycle of a user session refers to the period of user activity from the start of a user session to the end. Session lifecycle states include:
Active: A session starts when the user is authenticated by Oracle Access Manager. The session remains active as long as the user makes requests for Oracle Access Manager-protected content, and provided that the session has not expired.
Inactive: A session becomes inactive when the user does not access OAM-protected content for the period defined by the Idle Timeout attribute in the session lifecycle configuration.
Expired: The duration of the session has exceeded the period defined by the Session Lifetime attribute.
An active session becomes inactive when the user is inactive for the defined Idle Timeout period. A session expires when it exceeds the defined Session Lifetime period.
The Session Management Engine maintains a list of inactive sessions. When an active session becomes inactive, or expires, the user must re-authenticate. Data for expired sessions is automatically deleted from in-memory caches (or the optional SME database). Administrators can delete only active-user-session data.
OSSO GITO Support: The GITO cookie is needed in special cases to support timeout with multiple types of agents (mod_osso and WebGate) working with OAM 11g Server. When enabled (using the editGITOValues WLST command), if a user leaves an active session (with an OAM Agent) and starts a session with an OSSO Agent, when he returns to the initial session (with the OAM Agent, now inactive) the Session Management Engine reconciles the period of inactivity with the OAM Agent against the period of activity with the OSSO Agent to enable global logout for the OSSO Agent. The idle timeout is applied appropriately even if the session is operating in a disconnected state (mod_osso requests are being made but none are made by WebGate; to the server, the session appears to idle out).
Note:
The Session Management Engine reconciles a period of inactivity with the OAM Agent against a period of activity with the OSSO Agent to enable global logout for the OSSO Agent. For more information, see "mod_osso Cookies".User session lifecycle settings for OAM Agents can be defined using the OAM Administration Console. The WebLogic Scripting Tool does not include options for session management.
This section describes how the embedded Oracle Coherence data management and caching service is used during session management with the in-memory caches and any database that is configured as an SME session data store.
Note:
To maintain the shared session state consistent among the OAM Servers, the Coherence infrastructure requires network connectivity between the cluster members. Oracle recommends the use of redundant networking infrastructure in deployments requiring OAM session data consistency in the presence of network component failures.Oracle Coherence replicates and distributes session data across all Managed Servers in the cluster. The location of session data is transparent to the client. Oracle Coherence traffic is automatically encrypted. The Session Management Engine exposes session objects to other Oracle Access Manager components as needed. To compensate for data latencies and account for serialization and network transmission of objects, the cache is configured as a near cache to maintain short-lived session objects at the point of consumption.
Note:
Oracle Coherence traffic is automatically encrypted.Oracle Coherence also performs failover and reconciliation. For example, if one Managed Server fails, Oracle Coherence automatically distributes data from the failed host to the distributed in-memory caches of other Managed Server hosts.
Figure 12-1 illustrates the storage of session data that occurs using embedded Oracle Coherence. A description follows the diagram.
Note:
The OAM Administration Console is an application that resides on the WebLogic AdminServer. Session data is not stored on the AdminServer. To perform session management operations from the System Utilities node of the Administration Console, an OAM Server must be running.Figure 12-1 Session Data and the Role of Oracle Coherence

Process overview: SSO session data storage after successful authentication
The session is created, a sessionID is assigned, and session data is stored in the distributed in-memory cache. A copy is available for a short time in the local in-memory cache on the computer hosting the resource (Managed Server 1 in this example).
After a brief period, the local in-memory cache transfers the session data to the distributed in-memory cache on the same host.
Note:
If the distributed in-memory cache runs out of allocated memory space, then the least recently used sessions are evicted from the cache and stored in the database if one was configured. If the Session Management Engine is configured to use just the distributed session store, then the sessions are put in a flat file.With each session change, Oracle Coherence updates, replicates, and distributes session data in the distributed cache among OAM Servers (Managed Server 2 in this example).
Note:
The same session data is stored on only two hosts (the original host and one other).Oracle Coherence also distributes session data from the host of origin to the optional database store, if you are using one.
Note:
Only session data from the host of origin is written to the database store.A new resource request is made and session data is stored in the local in-memory cache on the computer hosting the resource (Managed Server 3 in this example).
After a brief period, the local in-memory cache transfers the session data to the distributed in-memory cache on the same host (Managed Server 3 in this example).
With each session change, Oracle Coherence updates, replicates, and distributes session data in the distributed cache among OAM Servers (Managed Server 2 and the optional SME database store).
Note:
The same session data is stored on only two hosts (the original host and one other). Only session data from the host of origin is written to the database store.A user requesting an OSSO-protected resource occurs within the same active session used by OAM Agents; however, only the OSSO user login and logout are recognized by the OAM Server. You can enable co-existence between agents.
Note:
A user can access an OSSO-protected resource while working on OAM-protected resources. Leaving the OAM-protected resource can cause an idle session timeout. However when she returns to the OAM-protected resource, Oracle Coherence reconciles the period of inactivity in the OAM Agent session against the period of activity with the OSSO Agent to enable global logout.This section provides the following topics:
User-session lifecycle settings are part of the OAM Server Common Properties shared by all OAM Servers. Figure 12-2 shows the lifecycle attributes that you can configure.
Table 12-1 describes common session lifecycle settings and their defaults. Sessions can operate in a disconnected mode (mod_osso, for example). Therefore, changes to the configuration establishing your session rules apply only to new sessions. If you need changes to apply immediately, Oracle recommends that you terminate existing sessions and force users to create new ones that adhere to your new rules.
Table 12-1 Common Session Settings
| Setting | Description | 
|---|---|
| Session Lifetime | The amount of time, in minutes, that a user's authentication session remains valid. When the lifetime is reached, the session expires. Default = 480 minutes A value of 0 disables this timeout setting. Note: Session data for an expired session is automatically deleted from the in-memory caches (or database). | 
| Idle Timeout | The amount of time, in minutes, that a user's authentication session remains valid without accessing any Oracle Access Manager protected resources. When the user is idle for a longer period, they are asked to re-authenticate. Default = 15 minutes A value of 0 disables this timeout setting. Note: Session data for an inactive session is automatically deleted from the in-memory caches (or database). | 
| Maximum Number of Sessions per User | The exact number of sessions each user can have at one time. Use this setting to configure multiple session restrictions for all users. | 
Users with valid OAM Administrator credentials can use the following procedure to modify common session lifecycle settings using the OAM Administration Console.
To view or modify common session lifecycle settings
From the Oracle Access Manager Administration Console, click the System Configuration tab.
The System Configuration navigation tree appears.
In the navigation tree, double-click Server Instances.
On the OAM Server Common Settings page, click the Session tab to display lifecycle settings.
Click the arrow keys beside each list to increase or decrease session lifecycle settings as needed (Table 12-1):
Session Lifetime
Idle Timeout
Maximum Number of Sessions per User
Click Apply to submit the changes (or close the page without applying changes).
Close the page when you finish.
Proceed to "Managing Active User Sessions".
This section describes how to locate and delete one or more sessions for a single user, or for all users.
Figure 12-3 illustrates the Session Management page, under the System Configuration tab, System Utilities node. Additional details follow the figure.
Figure 12-3 Session Management Page, under System Utilities

Table 12-2 describes Session Management page controls the results table.
Table 12-2 Session Management Page Controls and the Results Table
| Tool Bar Icon | Name | Description | 
|---|---|---|
| N/A | Delete All User Sessions ... | Choose this command button to delete the active sessions of all users. Note: A Confirmation window appears where you can confirm or decline the operation. | 
| N/A | Username | Enter a specific userID in the field and then click the > button to display all active sessions for this user. Note: A complete and accurate userID is required. No wild cards are allowed and no automatic fill-in occurs. | 
| N/A | Tool Bar | Choose commands from the provided menu or command buttons in the tool bar above the results table. | 
| View | View menu | Choose commands from the View menu above the results table to configure the table. Commands include: 
 | 
|  | Delete | Choose this command button after selecting items in the results table to delete. Note: A Confirmation window appears where you can confirm or decline the operation. | 
|  | Detach | Click to expand the results table to a full-page view. Note: If the table is already a detached full-page, click Detach to restore the Session Management page. | 
| N/A | Results table (not named) | After searching for the active sessions of a specific user, results are displayed in the table. Details include: 
 | 
Users with valid OAM Administrator credentials can use information in the following procedure to configure the search results table, locate the active sessions of a specific user, delete one or more sessions for a specific user, or delete all sessions for all users.
See Also:
"About the Session Management Page"Skip any steps that do not apply to your requirements.
Prerequisites
OAM Server must be running.
To locate and manage active sessions
From the Oracle Access Manager Administration Console, click the System Configuration tab.
The System Configuration navigation tree appears.
In the navigation tree, click System Utilities.
Under System Utilities, double-click Session Management.
The Session Management page appears with the Username field and a results table.
Configure the Results Table:
Click View to open the View menu, then click Columns to open the options list.
In the options list, click to check (or clear) items to display (or remove) from the table.
Review the results table to confirm the new setup.
Find sessions for a specific user:
In the Username field, enter an exact userid.
Click the > button on the right to locate sessions for this user.
Review the results table.
Detach Results Table: Click the Detach command button (or select Detach from the View menu) to display only the table.
Delete sessions for a specific user:
In the results table, click one or more sessions for the user.
Click the Delete button to delete the selected sessions.
Click Yes to confirm deleting selected sessions (or click No to cancel the delete operation).
Notify the user, if needed.
Delete sessions for all users:
Click the Delete All User Sessions button in the upper-right corner.
Click Yes when you are asked to confirm.
Close the Session Management page when you finish.
Proceed to "Verifying Session Management".
Use the following procedure to verify session management operations.
To validate session management
Access a resource from a browser.
Under System Utilities in the OAM Administration Console, verify that a user session exists, as described in "Managing Active User Sessions".
Multiple Sessions:
From a different browser (with cookies removed), access a different resource.
Repeat Step 2 and confirm that two sessions exist.
In the OAM Administration Console, delete all user sessions, (Step 7 of "Managing Active User Sessions") and confirm that the active user sessions are removed.
Re-authentication:
From the browser in Step 3, attempt to access a different resource.
Confirm that you are prompted for credentials.
Verify that session data is created in the database:
From the browser in Step 3, attempt to access a different resource.
Confirm that you are prompted for credentials.
Verify that session data is created in the database:
Repeat Step 4 to delete all user sessions.
Connect to the database as the OAM user and run the following query to get the results shown.
SQL> select * from oam_session
Confirm that you see the following results:
1 row selected
From the browser in Step 3, attempt to access a different resource.
Connect to the database as the OAM user and run the following query
SQL> select * from oam_session
Confirm that you see one row of data:
no rows selected
Select rows from OAM_SESSION_ATTRIBUTES and confirm that data exists for the user.
Optimize Logging for Session Management:
Invoke WLST for your platform from the following path. For example:
MW_HOME/oracle_common/common/bin/wlst.sh
Connect to WLST and login.
Execute domainRuntime() and setLogLevel(target="oam_server1",logger="oracle.oam.engine.session",level="FINEST",addLogger=1)
Tail the file <domainhome>/servers/oam_server1/logs/oam_server1-diagnostic.log.
Perform session operations.
View log messages for the Session Management Engine and Session store modules.
Repeat Step c to set level="SEVERE", perform operations and view log messages.
This section discusses session security for Oracle Access Manager 11g:
Oracle Access Manager 11g helps prevent session fixation by providing IP address checks by the Proxy. To further help prevent session fixation, use the secure HTTPS protocol.
Data is not encrypted in-memory; however, data is protected over the wire. Coherence communicates between the different OAM instances on various servers. This communication is secured by the following two ways:
Coherence supports communication only between hosts that have been previously identified.
This is done as a range of IP addresses, or by specific host names. OAM configuration file contains entries of the servers that participate in the communication. During startup, this information is provided to coherence to ensure that only authorized servers participate in the communication.
Coherence supports network filters that apply to all communication. Custom filters can be plugged in to provide filtering of required nature
OAM provides a custom filter that ensures that all communication that occurs between the instances is encrypted/decrypted with a shared key. This 128-bit key is available in the jceks and generated during install
For more information, see the Oracle Coherence documentation.
The Session Management Engine does not encrypt data.
Session data is not encrypted by Session Management Engine when written to the database.
If you have concerns, use an in-database encryption such as Oracle Advanced Security.