PingOne Advanced Identity Cloud

Server-side sessions

Server-side sessions live in an internal datastore called the Core Token Service (CTS) token store.

When you configure PingOne Advanced Identity Cloud to use server-side sessions, PingOne Advanced Identity Cloud sends session references to clients. The references don’t contain any session state information. PingOne Advanced Identity Cloud can modify a server-side session during its lifetime without changing the client’s reference to the session.

Server-side authentication sessions

PingOne Advanced Identity Cloud uses authentication sessions to manage authentication journeys before a user has authenticated successfully.

During authentication, the authentication session reference is returned to the client after each call to the authenticate endpoint and stored in the authId object of the JSON response.

PingOne Advanced Identity Cloud maintains the authentication session in the CTS token store. After the authentication flow has completed, if the realm to which the user has authenticated is configured for client-side sessions, PingOne Advanced Identity Cloud returns the session state to the client and deletes the server-side authentication session.

Server-side session tokens

After the user has successfully authenticated, PingOne Advanced Identity Cloud returns a session reference, which is known as an SSO token.

For browser clients, PingOne Advanced Identity Cloud sets a cookie in the browser that contains the session reference.

For REST clients, PingOne Advanced Identity Cloud returns the session reference in response to calls to the authentication endpoint.

Server-side sessions and in-memory caching

Server-side sessions can be cached in memory. When a session that’s being requested is cached, session retrieval is nearly instantaneous.

PingOne Advanced Identity Cloud automatically caches server-side sessions after retrieving them from the CTS token store. No configuration is required to enable server-side session caching.