--- title: Configure server-side sessions description: By default, Advanced Identity Cloud realms use server-side sessions. component: pingoneaic page_id: pingoneaic:am-sessions:configure-server-side-sessions canonical_url: https://docs.pingidentity.com/pingoneaic/am-sessions/configure-server-side-sessions.html keywords: ["Sessions", "Authentication", "CTS Store (Sessions & Tokens)", "Setup & Configuration", "Storage"] page_aliases: ["sessions-guide:configure-server-side-sessions.adoc"] section_ids: proc-configure-server-side-auth-sessions: Server-side journey sessions proc-configure-server-side-sessions: Server-side authenticated sessions verify_server_side_authenticated_sessions: Verify server-side authenticated sessions --- # Configure server-side sessions By default, Advanced Identity Cloud realms use server-side sessions. Advanced Identity Cloud uses two types of tokens that represent an exchange of information, usually interactive, between Advanced Identity Cloud and a user or entity: * *Journey sessions*, which Advanced Identity Cloud creates to track progress through a journey. These sessions last for the duration of the journey. * *Authenticated sessions*, which Advanced Identity Cloud creates after a user has authenticated successfully to manage the user's or entity's access to resources. You can configure Advanced Identity Cloud to use [client-side](client-side-sessions.html) or [server-side](server-side-sessions.html) journey and authenticated sessions. This page covers how to configure Advanced Identity Cloud to use server-side journey and authenticated sessions if the default realm settings have changed. ## Server-side journey sessions 1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Authentication > Settings. 2. Switch to the Trees tab. 3. From the Authentication session state management scheme drop-down list, select `CTS`. 4. In the Max duration (minutes) field, adjust the maximum life of the journey session in minutes. You can also set the maximum duration in a journey or at the node level. Learn more in [Maximum duration](../am-authentication/suspended-auth.html#maximum-duration). 5. Save your changes. When Advanced Identity Cloud creates tenant environments, it generates signing secrets: unique, secure, random values for signing journey sessions. To override the generated signing secret: 1. On the Authentication - Settings page, switch to the Security tab. 2. In the Organization Authentication Signing Secret field, enter a base64-encoded HMAC secret at least 128 bits long. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you choose to override the generated signing secret, specify different values in your development, staging, and production tenant environments, so development sessions aren't valid in your production environment, for example. | 3. Save your changes. ## Server-side authenticated sessions 1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Authentication > Settings. 2. Switch to the General tab. 3. Clear Use Client-Side Sessions. 4. Save your changes. ## Verify server-side authenticated sessions You can find server-side authenticated sessions: 1. Authenticate to the realm configured for server-side authenticated sessions as a non-administrative user: ```bash $ curl \ --request POST \ --header 'Content-Type: application/json' \ --header 'X-OpenAM-Username: ' \ --header 'X-OpenAM-Password: ' \ --header 'Accept-API-Version: resource=2.0, protocol=1.0' \ 'https:///am/json/realms/root/realms/alpha/authenticate' { "tokenId":"", "successUrl": "/enduser/?realm=/alpha", "realm":"/alpha" } ``` 2. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Identities > *Username* to find the user identifier at the top of the profile page; for example: ![The profile page shows the user identifier.](_images/get-user-id.png) 3. Go to Realms > *Realm Name* > Sessions. With the user identifier, [search for the session](manage-sessions-ui.html). You should find the authenticated session for the non-administrative user: ![The service tracks server-side sessions.](_images/server-side-session-tracking.png)