keycloak-scim/docs/documentation/server_admin/topics/threat/auth-sessions-limit.adoc

[[_limit-authentication-sessions]]
=== Limit Authentication Sessions

<<_authentication-sessions, Authentication sessions>> track the state of the authentication. The text below is applicable regardless of the source flow.

NOTE: This section describes deployments that use the {jdgserver_name} provider for authentication sessions.

Authentication session is internally stored as `RootAuthenticationSessionEntity`. Each `RootAuthenticationSessionEntity` can have multiple authentication sub-sessions stored within the
`RootAuthenticationSessionEntity` as a collection of `AuthenticationSessionEntity` objects. {project_name} stores authentication sessions in a dedicated {jdgserver_name} cache.
The number of `AuthenticationSessionEntity` per `RootAuthenticationSessionEntity` contributes to the size of each cache entry. Total memory footprint of authentication session cache is determined by
the number of stored `RootAuthenticationSessionEntity` and by the number of `AuthenticationSessionEntity` within each `RootAuthenticationSessionEntity`.

The number of maintained `RootAuthenticationSessionEntity` objects corresponds to the number of unfinished login flows from the browser. To keep the number of `RootAuthenticationSessionEntity`
under control, using an advanced firewall control to limit ingress network traffic is recommended.


Higher memory usage may occur for deployments where there are many active `RootAuthenticationSessionEntity` with a lot of `AuthenticationSessionEntity`.
If the load balancer does not support or is not configured for session stickiness, the load over network in a cluster can
increase significantly. The reason for this load is that each request that lands on a node that does not own the appropriate authentication session needs to retrieve
and update the authentication session record in the owner node which involves a separate network transmission for both the retrieval and the storage.

The maximum number of `AuthenticationSessionEntity` per `RootAuthenticationSessionEntity` can be configured in `authenticationSessions` SPI by setting property `authSessionsLimit`. The default value is set to 300 `AuthenticationSessionEntity` per a `RootAuthenticationSessionEntity`. When this limit is reached, the oldest authentication sub-session will be removed after a new authentication session request.

The following example shows how to limit the number of active `AuthenticationSessionEntity` per a `RootAuthenticationSessionEntity` to 100.

[source,bash]
----
bin/kc.[sh|bat] start --spi-authentication-sessions-infinispan-auth-sessions-limit=100
----

ifeval::[{project_community}==true]
The equivalent command for the new map storage:

[source,bash]
----
bin/kc.[sh|bat] start --spi-authentication-sessions-map-auth-sessions-limit=100
----
endif::[]
KEYCLOAK-18738 Improve RootAuthenticationSession description 2021-07-27 13:28:46 +00:00			`[[_limit-authentication-sessions]]`
KEYCLOAK-16616 authenticationSessions map in RootAuthenticationSessionEntity grows unboundedly 2021-05-31 13:30:59 +00:00			`=== Limit Authentication Sessions`

Documentation for changes related to 'You are already logged in' scen… (#28595) closes #27879 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2024-04-11 06:18:41 +00:00			`<<_authentication-sessions, Authentication sessions>> track the state of the authentication. The text below is applicable regardless of the source flow.`
KEYCLOAK-16616 authenticationSessions map in RootAuthenticationSessionEntity grows unboundedly 2021-05-31 13:30:59 +00:00
			`NOTE: This section describes deployments that use the {jdgserver_name} provider for authentication sessions.`
KEYCLOAK-18738 Improve RootAuthenticationSession description 2021-07-27 13:28:46 +00:00
			Authentication session is internally stored as `RootAuthenticationSessionEntity`. Each `RootAuthenticationSessionEntity` can have multiple authentication sub-sessions stored within the
			`RootAuthenticationSessionEntity` as a collection of `AuthenticationSessionEntity` objects. {project_name} stores authentication sessions in a dedicated {jdgserver_name} cache.
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			The number of `AuthenticationSessionEntity` per `RootAuthenticationSessionEntity` contributes to the size of each cache entry. Total memory footprint of authentication session cache is determined by
KEYCLOAK-18738 Improve RootAuthenticationSession description 2021-07-27 13:28:46 +00:00			the number of stored `RootAuthenticationSessionEntity` and by the number of `AuthenticationSessionEntity` within each `RootAuthenticationSessionEntity`.

			The number of maintained `RootAuthenticationSessionEntity` objects corresponds to the number of unfinished login flows from the browser. To keep the number of `RootAuthenticationSessionEntity`
			`under control, using an advanced firewall control to limit ingress network traffic is recommended.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00
KEYCLOAK-18738 Improve RootAuthenticationSession description 2021-07-27 13:28:46 +00:00			Higher memory usage may occur for deployments where there are many active `RootAuthenticationSessionEntity` with a lot of `AuthenticationSessionEntity`.
Remove WildFly distribution from documentation (#1666) * Remove WildFly distribution from documentation Closes #1665 * Update server_admin/topics/authentication/webauthn.adoc Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> * Update upgrading/topics/install_new_version.adoc Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> * Update upgrading/topics/migrate_db.adoc Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> * Update upgrading/topics/migrate_db.adoc Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> * Update server_admin/topics/realms/ssl.adoc * Update server_admin/topics/user-federation/ldap.adoc Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> * Update server_development/topics/providers.adoc Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> * Update server_development/topics/providers.adoc Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> * Remove section on cilent cert lookup in x509.adoc * Update securing_apps/topics/oidc/fapi-support.adoc Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> * Add missing images for rh-sso images by moving to shared images as we won't have RH-SSO specific theme anymore Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> 2022-08-19 11:15:51 +00:00			`If the load balancer does not support or is not configured for session stickiness, the load over network in a cluster can`
KEYCLOAK-18738 Improve RootAuthenticationSession description 2021-07-27 13:28:46 +00:00			`increase significantly. The reason for this load is that each request that lands on a node that does not own the appropriate authentication session needs to retrieve`
			`and update the authentication session record in the owner node which involves a separate network transmission for both the retrieval and the storage.`
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00
KEYCLOAK-18738 Improve RootAuthenticationSession description 2021-07-27 13:28:46 +00:00			The maximum number of `AuthenticationSessionEntity` per `RootAuthenticationSessionEntity` can be configured in `authenticationSessions` SPI by setting property `authSessionsLimit`. The default value is set to 300 `AuthenticationSessionEntity` per a `RootAuthenticationSessionEntity`. When this limit is reached, the oldest authentication sub-session will be removed after a new authentication session request.
KEYCLOAK-16616 authenticationSessions map in RootAuthenticationSessionEntity grows unboundedly 2021-05-31 13:30:59 +00:00
KEYCLOAK-18738 Improve RootAuthenticationSession description 2021-07-27 13:28:46 +00:00			The following example shows how to limit the number of active `AuthenticationSessionEntity` per a `RootAuthenticationSessionEntity` to 100.
KEYCLOAK-16616 authenticationSessions map in RootAuthenticationSessionEntity grows unboundedly 2021-05-31 13:30:59 +00:00
Update documentation for Quarkus distribution (#1385) 2022-02-08 13:07:16 +00:00			`[source,bash]`
			`----`
			`bin/kc.[sh\|bat] start --spi-authentication-sessions-infinispan-auth-sessions-limit=100`
			`----`
Add limit for authSessions per rootAuthSession in map storage 2022-08-09 10:40:06 +00:00
Code certain features as upstream only (#23603) Closes #23581 2023-10-03 18:50:23 +00:00			`ifeval::[{project_community}==true]`
Add limit for authSessions per rootAuthSession in map storage 2022-08-09 10:40:06 +00:00			`The equivalent command for the new map storage:`

			`[source,bash]`
			`----`
			`bin/kc.[sh\|bat] start --spi-authentication-sessions-map-auth-sessions-limit=100`
			`----`
Code certain features as upstream only (#23603) Closes #23581 2023-10-03 18:50:23 +00:00			`endif::[]`