Managing authentication sessions stored in the database
PingFederate uses a cleanup task to remove expired authentication sessions from the configured database once a day. The cleanup task determines whether a session can be removed by looking at the session’s expiration timestamp and the current time.
About this task
Any session that has an expiration timestamp older than the current time by a configurable offset is subject to removal. As needed, the cleanup task can look at the session’s last activity timestamp instead. The cleanup task removes 500 expired sessions at a time until all expired sessions are removed. If expired sessions are growing rapidly, you can optionally increase the frequency of the cleanup task.
Increasing the frequency of the cleanup task or the number of expired sessions to be removed per batch (or both) adds more workload to your storage server. Make changes gradually to observe the impact. |
In a clustered PingFederate environment, the cleanup task runs only on the console node. If adjustments are required, make them on the console node. No changes are required on any of the engine nodes. |
Steps
-
Optional: Adjust the frequency of the cleanup task.
-
Edit the
<pf_install>/pingfederate/server/default/data/config-store/timer-intervals.xml
file. -
Update the
StoredSessionCleanerInterval
value, in milliseconds.
The default value is
86400000
, which is 24 hours.-
Save your changes.
-
-
Optional: Configure other cleanup options.
-
Edit the
<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl.xml
file.See the following table for more information about each field.
Field Description ExpiredSessionGroupBatchSize
The number of expired authentication sessions to be removed per batch.
The default value is
500
.ExpirationTimeColumnName
The column of which its value determines whether an authentication session has expired in the context of the cleanup task. Valid options are
expiry_time
andlast_activity_time
.expiry_time
-
Set to
expiry_time
if the cleanup task should only remove persistent authentication sessions that have expired.The cleanup task determines if a session can be removed by looking at the session’s expiration timestamp and the current time. If the expiration timestamp is older than the current time by the number of minutes specified by theExpirationTimeOffsetMins
field, the session is subject to removal. last_activity_time
-
Set to
last_activity_time
if the clean task should remove persistent authentication sessions that have been left idle.The cleanup task determines if a session can be removed by looking at the session’s last activity timestamp and the current time. If the last activity timestamp is older than the current time by the number of minutes specified by theExpirationTimeOffsetMins
field, the session is subject to removal.For example, if PingFederate should remove persistent authentication sessions for which the last activity time is more than three weeks ago, set theExpirationTimeColumnName
value tolast_activity_time
and theExpirationTimeOffsetMins
value to30240
.
The default value is
expiry_time
.ExpirationTimeOffsetMins
The offset, in minutes, relative to the current time.
The default value is
10
.-
Save your changes.
-
-
If you have made any changes, restart PingFederate.
In a clustered PingFederate environment, you do not have to change or restart PingFederate on any of the engine nodes.