Sessions
========

LL::NG rely on a session mechanism with the session ID as a shared
secret between the user (in :doc:`SSO cookie<ssocookie>`) and the
:ref:`session database<start-sessions-database>`.

To configure sessions, go in Manager, ``General Parameters`` »
``Sessions``:

-  **Store user password in session data**: see
   :doc:`password store documentation<passwordstore>`.
-  **Display session identifier**: Should the session ID be displayed in the manager's session explorer. The session ID is a sensitive information that should only be shown to highly trusted administrators.
-  **Sessions timeout**: Maximum lifetime of a session. Old sessions are
   deleted by a cron script.
-  **Sessions activity timeout**: Maximum inactivity duration.
-  **Sessions update interval**: Minimum interval used to update session
   when activity timeout is set.


.. danger::

    Session activity timeout requires Handlers to have a write
    access to sessions database.

-  **Opening conditions**: rules which are evaluated before granting
   session, see :doc:`Grant Session plugin documentation<grantsession>`
-  **Sessions Storage**: you can define here which session backend to
   use, with the backend options. See
   :ref:`sessions database configuration<start-sessions-database>` to
   know which modules you can use. Here are some global options that you
   can use with all sessions backends:

   -  **generateModule**: allows one to override the default module that
      generates sessions identifiers. For security reasons, we recommend
      to use
      Lemonldap::NG::Common::Apache::Session::Generate::SHA256
   -  **IDLength**: length of sessions identifiers. Max is 32 for MD5
      and 64 for SHA256

-  **Multiple sessions**, you can restrict the number of open sessions:

   -  **One session per user**: when a user logs in, all their previous
      sessions are removed
   -  **One IP address per user**: when a user logs in, all their
      previous sessions on a different IP address are removed
   -  **One user per IP address**: when a user logs in, all sessions
      that belong to a different user on that IP address are removed
   -  **Display deleted sessions**: display deleted sessions on
      authentication phase.
   -  **Display other sessions**: display other sessions on
      authentication phase, with a link to delete them.

-  **Persistent sessions**: are used for storing users log in history,
   2F devices, OIDCConsents and so on. Heavy organizations may have to
   disable persistent sessions storage to avoid too many database
   tuples.

   -  **Disable storage**: Do not store user persitent sessions.


.. attention::

    Note that since HTTP protocol is not connected,
    restrictions are not applied to the new session: the oldest are
    destroyed.

Command-line tools
==================

.. versionadded:: 2.0.9

You can use the ``lemonldap-ng-sessions`` tool to search, update or delete sessions. See a few examples in :ref:`the examples page <cli-sessions>`

.. deprecated:: 2.0.10

-  LLNG Portal provides a simple tool to delete a session:
   ``llngDeleteSession``. To use it, simply give it the user identifier
   *(wildcard are authorizated)*:

.. code-block:: shell

   # Delete all sessions opened by user "dwho"
   $ llngDeleteSession dwho
   # Delete all sessions opened by user starting with "dh"
   $ llngDeleteSession dh*
   # Delete all sessions:
   $ llngDeleteSession *

