What is Session Quota?
Session Quota provides a way to limit the number of active sessions for a given user. Basically in the session service you can configure how many active sessions could a user have. For simplicity let’s say that the active session limit is set to 5. If a user would log in for the 6th time, then based on the session quota settings a QuotaExhaustionAction gets executed, which will decide what happens with the new and the existing sessions.
How session quota is evaluated?
When session quota is enabled, OpenAM tracks the user sessions mapped by universal IDs, hence it can easily detect the number of active sessions for a given user (this mapping is only available when session quota is enabled or SFO is being used). There is 3 way how the session quota can be evaluated:
- Single Server Mode: if there is only one OpenAM node (with or without a site), then the quota will be evaluated per that one server.
- Local Server Only Mode: When the advanced property “openam.session.useLocalSessionsInMultiServerMode” is set to true, OpenAM will only evaluate session quota per local server (so a user can end up having number of servers * number of allowed concurrent sessions). This option has been introduced to provide a certain level of support for multiserver environments without SFO (see OPENAM-875)
- Session Failover Mode: In multiserver setup when using SFO it is possible to enforce deployment-wide session quota
So we now know how OpenAM detects if the session quota is being exceeded by a given user, but we don’t know yet what to do when that happens. Here comes QuotaExhaustionAction into the picture. This interface allows deployers to customize the behavior of OpenAM for these cases. To understand this a bit more let’s look at the built-in session quota exhaustion actions:
- DENY_ACCESS: basically it will deny the access for the new session, but will keep the old session alive.
- DESTROY_NEXT_EXPIRING: destroys the next expiring session (based on min(full, idle) for all the sessions), and lets the new session live.
- DESTROY_OLDEST_SESSION: destroys the session with the lowest expiration time, and lets the new session live.
- DESTROY_OLD_SESSIONS: destroys all the existing sessions, and lets the new session live.
As you can see there are many different ways to handle session quota exhaustion, and it really depends on the requirements, which method really fits. In case none of these are good for you, you can simply implement a custom QuotaExhaustionAction, for that you can find the built-in implementations here, but there is also a sample GitHub project.
Once you are ready with your custom implementation follow the installation steps on the GitHub project README.
How to enable session quota?
On the admin console go to Configuration -> Global -> Session page and:
- Set the number of “Active User Sessions” to your choosen value.
- Turn ON “Enable Quota Constraints”.
- Select the preferred exhaustion action under the “Resulting behavior if session quota exhausted” option.
Quite possibly you need to restart OpenAM for the changes to take effect, but after then it should work just as you would want it to. 😉