PingFederate Server

Managing authentication sessions stored in the database

PingFederate uses a cleanup task to remove expired authentication sessions from the configured database once a day. The cleanup task determines whether a session can be removed by looking at the session’s expiration timestamp and the current time.

About this task

Any session that has an expiration timestamp older than the current time by a configurable offset is subject to removal. As needed, the cleanup task can look at the session’s last activity timestamp instead. The cleanup task removes 500 expired sessions at a time until all expired sessions are removed. If expired sessions are growing rapidly, you can optionally increase the frequency of the cleanup task.

Increasing the frequency of the cleanup task or the number of expired sessions to be removed per batch (or both) adds more workload to your storage server. Make changes gradually to observe the impact.

In a clustered PingFederate environment, the cleanup task runs only on the console node. If adjustments are required, make them on the console node. No changes are required on any of the engine nodes.

Steps

  1. Optional: Adjust the frequency of the cleanup task.

    1. Edit the <pf_install>/pingfederate/server/default/data/config-store/timer-intervals.xml file.

    2. Update the StoredSessionCleanerInterval value, in milliseconds.

    The default value is 86400000, which is 24 hours.

    1. Save your changes.

  2. Optional: Configure other cleanup options.

    1. Edit the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl.xml file.

      See the following table for more information about each field.

    Field Description

    ExpiredSessionGroupBatchSize

    The number of expired authentication sessions to be removed per batch.

    The default value is 500.

    ExpirationTimeColumnName

    The column of which its value determines whether an authentication session has expired in the context of the cleanup task. Valid options are expiry_time and last_activity_time.

    expiry_time

    Set to expiry_time if the cleanup task should only remove persistent authentication sessions that have expired.The cleanup task determines if a session can be removed by looking at the session’s expiration timestamp and the current time. If the expiration timestamp is older than the current time by the number of minutes specified by the ExpirationTimeOffsetMins field, the session is subject to removal.

    last_activity_time

    Set to last_activity_time if the clean task should remove persistent authentication sessions that have been left idle.The cleanup task determines if a session can be removed by looking at the session’s last activity timestamp and the current time. If the last activity timestamp is older than the current time by the number of minutes specified by the ExpirationTimeOffsetMins field, the session is subject to removal.For example, if PingFederate should remove persistent authentication sessions for which the last activity time is more than three weeks ago, set the ExpirationTimeColumnName value to last_activity_time and the ExpirationTimeOffsetMins value to 30240.

    The default value is expiry_time.

    ExpirationTimeOffsetMins

    The offset, in minutes, relative to the current time.

    The default value is 10.

    1. Save your changes.

  3. If you have made any changes, restart PingFederate.

    In a clustered PingFederate environment, you do not have to change or restart PingFederate on any of the engine nodes.