Enabling Persistent Sessions in Keycloak 25.0.2 #44920

camilovietnam · 2025-12-15T16:17:48Z

camilovietnam
Dec 15, 2025

Hi! I just wanted to ask your opinion on the following situation:

I have 3 machines running Keycloak version 25.0.2, with the feature persistent-user-sessions disabled. I would like to enable it, and I thought that if I just stopped one machine at a time, and restarted the Docker container with the feature enabled, the sessions would be kept in the cache of the remaining two machines and replicated to the third one after it restarted. A quick local test appeared to indicate that this was the case. I logged in with one user to a test App in localhost using 3 local Keycloak containers with a synced cache. Then, I restarted one machine with the feature enabled, waited until it rebalanced with the other two - and the session was still active in the application, and I was able to get a JWT. Then I enabled the feature on the 2nd Keycloak instance, then the 3rd, and eventually all machines had the feature enabled, and the user session was still alive.

However, when I actually went to PROD, I found some issues - perhaps caused by cache limits imposed by Keycloak? The documentation mentions 10,000 sessions max; When I enabled the feature in one of the machines, I noticed that it was reporting fewer sessions for the same user, whereas the other two reported the full list of sessions. I decided to rollback and disable the feature in the Keycloak instance where it was activated.

I have read on the Keycloak documentation https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-user-sessions-during-the-upgrade that enabling the persistent sessions is probably not something you can do after the migration from Keycloak 24 to Keycloak 25, and it might have worked for my local environment just out of luck - so now I'm wondering whether I should make another attempt in PROD, with perhaps an increased cache size, or whether it's better to simply accept the fact that Users will lose their active session, and then run the suggested procedure of stopping all machines and then restarting with the persisted sessions enabled.

Thanks!

darius-m · 2025-12-16T08:06:37Z

darius-m
Dec 16, 2025

The upgrading guide mentions that for the migration to work, you would need to use a form of persistence, outside of Keycloak - either an external Infinispan node or JDBC persistence configured for the embedded cache:

When upgrading from Keycloak 24 or earlier, admins can choose to migrate existing
online user and client sessions to persistent sessions. For this to work, those existing
sessions need to be stored in either a remote Infinispan or in a database configured
as JDBC persistence for Keycloak’s embedded cache. Migrating in-memory sessions
for Keycloak 24 is not supported as all Keycloak instances need to be shut down before
the upgrade due to a major version upgrade of the embedded Infinispan.

The migration of user sessions only works when the persistent user sessions is enabled
when upgrading to Keycloak 25. If you chose to upgrade to 25 without enabling persistent
user sessions, there is currently no possibility to trigger the migration of existing sessions
at a later point in time.

Enabling this feature later, by a configuration change, can result in an undefined behavior
of Keycloak related to sessions if both persisted and non-persisted sessions co-exist. To prevent
that, remove all existing online user and client sessions before the first node is started with the
feature enabled. This means all Keycloak nodes need to be stopped and, if used, Infinispan remote
cache store and embedded Infinispan JDBC persistence need to be cleared.

As the last paragraph implies, this is likely an issue with having multiple Keycloak live instances that receive requests at the same time - the ones that are running without using the persistent storage will save partial information in the cache, while the one with the feature active is trying to store the information in the database. In your case, the production instance may have more traffic that makes these coherency issues happen more often, as opposed to the test instance which is likely more isolated.

Whether losing the active user sessions once is acceptable, and what measures you need to take (e.g., informing the users about it in advance) it's up to the individual organization. However, if the feature is stable long term, and so far it has been, I think enabling it is worth it, especially considering that the user sessions are lost during every major upgrade if an external cache or persistence mechanism is not used.

1 reply

camilovietnam Dec 16, 2025
Author

@darius-m yes, I think the feature is very useful, and I want to have it enabled as soon as possible, but I would love it it I was able to change the settings without losing my current sessions...from what I read in the documentation, it would be preferable to just assume that it is not possible, and just stop all containers and run them again with the feature enabled. But I wanted to know what other people thought about this.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Enabling Persistent Sessions in Keycloak 25.0.2 #44920

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Enabling Persistent Sessions in Keycloak 25.0.2 #44920

Uh oh!

Uh oh!

camilovietnam Dec 15, 2025

Replies: 1 comment · 1 reply

Uh oh!

darius-m Dec 16, 2025

Uh oh!

camilovietnam Dec 16, 2025 Author

camilovietnam
Dec 15, 2025

Replies: 1 comment 1 reply

darius-m
Dec 16, 2025

camilovietnam Dec 16, 2025
Author