Client-side sessions
For client-side sessions, AM returns the session state to the client after each request and requires the session state to be passed in with the subsequent request.
Some features are not supported in realms configured for client-side sessions. For more information, see Limitations of using client-side sessions. |
For security reasons, configure AM to sign and/or encrypt client-side sessions and client-side authentication sessions. Decrypting and verifying the session can be an expensive operation to perform on each request. AM therefore caches the decrypt sequence in memory to improve performance.
Find information about configuring AM with sticky load balancing in Load balancing. |
Find information about configuring client-side security in Client-side session security.
-
Client-side authentication sessions
Client-side authentication sessions are supported for authentication trees only, and are configured by default in new installations.
During authentication, the authentication session state is returned to the client after each call to the
authenticate
endpoint and stored in theauthId
object of the JSON response.If the realm the user authenticated to is configured for server-side sessions, AM creates the user’s session in the CTS token store when the authentication flow completes.
Storing authentication sessions on the client allows any AM server to handle the authentication flow at any point in time without load balancing requirements.
Authentication session allowlisting is an optional feature that maintains a list of in-progress authentication sessions and their progress in the authentication flow to protect against replay attacks. Learn more in Authentication session allowlisting.
-
Client-side sessions
For browser-based clients, AM sets a cookie in the browser that contains the session state. When the browser transmits the cookie back to AM, AM decodes the session state from the cookie. For REST-based clients, AM sends the cookie in a header. Find more information about session cookies in Session cookies and session security.
Session denylisting is an optional feature that maintains a list of logged out client-side sessions in the CTS token store. Find more information about session termination and session denylisting in Session termination.
A user is granted a client-side authentication session while they are completing the authentication tree.
If session denylisting is enabled, this authentication session is "logged out" when the tree is completed, to prevent
replay attacks. This "logging out" adds the authentication session to the session denylist for client-side sessions.
In the CTS store, this takes the form of a SESSION_BLACKLIST token that exists for the life of the authentication session.
|
Learn more in Choose where to store sessions.