Configuring Shibboleth session timeouts

Paul Riddle on Jun 16, 2009

There are three separate values that affect session timeouts with Shibboleth: The session lifetime, the inactivity timeout, and the session cache timeout. Properly configuring session timeout requires an understanding of each. All three values are configured in the SP config file (shibboleth2.xml), and each is specified in seconds. Session lifetime

The session lifetime is the absolute upper bound on how long the session will last, irrespective of inactivity. The default lifetime is 28800 seconds, or 8 hours. In most cases, you can just keep this default.

Session lifetime is set in the <Sessions> element. In the following example, the lifetime is set to the default of 28800 seconds:

<Sessions lifetime="28800" timeout="3600" checkAddress="false"
   handlerURL="/Shibboleth.sso" handlerSSL="false"
   exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
   idpHistory="true" idpHistoryDays="7"
   cookieProps="; path=/; secure">

Inactivity timeout

The inactivity timeout specifies how long the user can be idle before the session expires. The default is 3600 seconds, or 1 hour.

The inactivity timeout is also set in the <Sessions> element, in the “timeout” attribute. In the above example, the timeout is set to 3600 seconds. Cache timeout

The SP maintains an in-memory cache of recent sessions. The cache timeout specifies how long each session remains in the SP's cache. After the cache timeout expires, the SP purges the session from the cache. The default cache timeout is 3600 seconds, or 1 hour.

Cache timeout should be set to a value equal to or greater than the inactivity timeout. If the cache timeout is shorter than the inactivity timeout, the shorter of the two timeouts will take effect.

The cache timeout is set in the <SessionCache> element, in the “cacheTimeout” attribute:

<SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600"
   inprocTimeout="900" cleanupInterval="900"/>

After modifying the cache timeout, restart the SP so the new timeout will take effect. It's not necessary to restart the SP when changing the session lifetime or inactivity timeout.