Persistent Session/ Persistent Cookies

Discussion created by Ram007 on Nov 5, 2013
Latest reply on Nov 11, 2013 by Chris_Hackett


I like to get some clarification on persistent session and persistent cookies. How are they related?

I have read SiteMinder documentation on how to set persistent cookies. Its intended use to be in the case where max session timeout exceeds the browser session. Instead of forcing the user to login again when a new browser window is opened after closing the earlier one, persistent cookies help maintain session (I hope I am translating it well :) )

If persistent cookies are enabled, they remain valid max session timeout + 7 days 

The above statement caused me to read further in the forums. Because above statement kind of indicated to me that no matter what the max session timeout is, the cookies (session too?) remain valid until max session timeout + 7 days.

Further reading gave me the impression that session in the cookie is different from the cookie being persistent. Even if the cookies are persistent session may not be persistent. 

So my questions are

1. If (persistent) cookies are VALID for max session timeout + 7 days, will the session be also VALID for the same amount of time? If the session is not valid for that much longer, how long the session be valid in this instance (same as max session timeout)? If session in cookie is not valid for 7+ days, why the persistent cookies remain valid for 7 days? what is the intended use? (What is meant by VALID here)

2. What is the use of setting "persistent session" under session catergory at a Realm level?

3. I also read about the usage of Session Store. This setting seems to be at the agent level. Does it mean all websites hosted under that agent automatically use session store? Or is there a setting that needs to be enabled at the realm level (above # 2 setting?)

3. If idle timeout is disabled, will this have any affect on the max session timeout?

4. One basic question. If a user is logged in and keep using the application and if user's session time has exceeded the max session timeout will he be forced to reauthenticate?

I appreciate answers from great folks on this forum.

Thanks in advance,