Inferensys

Glossary

Session

A long-lived logical connection between an OPC UA Client and Server that manages authentication, state, and continuity for service requests over a Secure Channel.
Product team prototyping AI features on laptops, mockups on screens, collaborative ideation session.
LOGICAL CONNECTION LIFECYCLE

What is an OPC UA Session?

A Session is a long-lived logical connection between an OPC UA Client and Server that manages authentication, state, and continuity for service requests over a Secure Channel.

An OPC UA Session is a long-lived logical connection established by a Client with a Server after a Secure Channel has been created. It encapsulates the authentication context, negotiated parameters, and server-side state required to execute service requests like reading Variable Nodes or browsing the Address Space. The Session persists independently of the underlying transport connection, allowing recovery from transient network interruptions without losing user identity or subscription state.

Within a Session, the Server maintains a unique SessionId and manages client-created objects such as Subscriptions and Monitored Items. The Session defines the lifetime of these entities—if a Session is terminated, all associated Subscriptions are deleted. Sessions also enforce Role-Based Access Control by binding a user identity token to every service invocation, ensuring that data access and method calls are authorized according to the user's assigned permissions.

SESSION MANAGEMENT

Key Characteristics of an OPC UA Session

An OPC UA Session is a long-lived logical connection that manages authentication, user context, and continuity for service requests between a Client and Server over a Secure Channel.

01

Session Establishment and Authentication

A Session is created via the CreateSession service after a Secure Channel is active. The Client presents a Client Certificate for application authentication, and optionally a UserIdentityToken (username/password, X.509 certificate, or Kerberos token) for user authentication. The Server validates these credentials and returns a SessionId and AuthenticationToken, establishing a secure, mutually verified context for all subsequent service calls.

02

Stateful Continuity and Session Recovery

Unlike the stateless Secure Channel, a Session maintains stateful context across multiple service requests. If the underlying Secure Channel fails, the Session persists for a configurable SessionTimeout period. Clients can use the ActivateSession service to reconnect to an existing Session without losing subscriptions, monitored items, or user context, enabling resilience against transient network interruptions.

03

Subscription and Monitored Item Management

A Session acts as the container for all Subscription objects. Within a Session, a Client creates Subscriptions that group Monitored Items—specific Node attributes to watch for changes. The Session manages the lifecycle of these entities, ensuring that data change notifications are delivered reliably and that pacing parameters like PublishingInterval and KeepAliveCount are enforced.

04

User Impersonation and Role Context

A Session carries the identity of an authenticated user, enabling Role-Based Access Control (RBAC). All service requests within the Session execute under the permissions assigned to that user's roles. A Client can change the user context by calling ActivateSession with a new UserIdentityToken, allowing dynamic privilege escalation or de-escalation without tearing down the Session.

05

Session Diagnostics and Auditing

Each Session exposes diagnostic information through the ServerDiagnosticsSummary and SessionDiagnostics objects in the Address Space. Metrics include:

  • CurrentSessionCount and CumulativeSessionCount
  • SessionTimeout configuration
  • ClientDescription and EndpointUrl This data supports auditing, capacity planning, and troubleshooting of client connections.
06

Session Termination and Cleanup

A Session is terminated explicitly via the CloseSession service or implicitly when the SessionTimeout expires without a successful ActivateSession call. Upon termination, the Server automatically deletes all associated Subscriptions and Monitored Items, freeing resources. Proper session closure ensures that the Server's SessionManager does not accumulate orphaned state, maintaining system health.

OPC UA SESSIONS

Frequently Asked Questions

Clear answers to common questions about OPC UA Session mechanics, lifecycle, and security for industrial automation engineers.

An OPC UA Session is a long-lived logical connection between a single Client and Server that manages authentication, user identity, and continuity for service requests over a Secure Channel. After the Secure Channel establishes encryption, the Client activates a Session by calling the CreateSession and ActivateSession services, which negotiate session parameters like timeout, locale, and user credentials. The Session maintains state—including Continuation Points for browsing large Address Spaces and Subscription lists for data change notifications—so that if the underlying Secure Channel breaks, the Client can reattach to the same Session within the timeout period without losing its context. Each Session is uniquely identified by a sessionId assigned by the Server and is scoped to a single authenticated user, enforcing Role-Based Access Control on all subsequent service calls.

CONNECTION LAYER COMPARISON

Session vs. Secure Channel

Distinguishing the logical application-layer connection from the transport-layer security envelope in OPC UA communication architecture.

FeatureSessionSecure Channel

OSI Layer

Application Layer (Layer 7)

Transport/Session Layer (Layer 4-5)

Primary Function

Manages user authentication, state continuity, and service requests

Provides encryption, message signing, and integrity for data in transit

Lifetime

Long-lived; persists across Secure Channel interruptions

Short-lived relative to Session; can be terminated and re-established independently

Authentication Scope

User identity and authorization (UserToken)

Application instance identity (X.509 Certificate exchange)

State Management

Maintains Subscriptions, Monitored Items, and session attributes

Stateless beyond cryptographic keys and sequence numbers

Recovery Mechanism

Supports session transfer and reconnect without data loss

Requires full re-establishment via OpenSecureChannel handshake

Dependency

Requires an active Secure Channel for transport

Independent; can exist before any Session is created

Termination Impact

All Subscriptions and Monitored Items are deleted

Sessions are temporarily orphaned but can be recovered on a new channel

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.