In-memory sessions reside in AM's memory. AM sends clients a reference to the session, but the reference does not contain any of the session state information.
In-Memory Authentication Sessions Specifics
In-memory authentication sessions are the only configuration supported for authentication chains. They are also configured by default for authentication trees after an upgrade.
During authentication, the authentication session reference is returned to the client after a call to the
authenticateendpoint and stored in the
authIdobject of the JSON response.
AM maintains the user's authentication session in its memory. After the authentication flow has completed, AM performs the following tasks:
If the realm to which the user has authenticated is configured for CTS-based sessions, AM stores the user's session in the CTS token store and deletes the authentication session from memory.
If the realm to which the user has authenticated is configured for client-based sessions, AM stores the user's session in a cookie on the user's browser and deletes the authentication session from memory.
Authentication session whitelisting is an optional feature that maintains a list of in-progress authentication sessions and their progress in the authentication flow to protect against replay attacks. For more information, see "Configuring Authentication Session Whitelisting".
Deployments where AM stores authentication sessions in memory require sticky load balancing to route all requests pertaining to a particular authentication flow to the same AM server. If a request reaches a different AM server, the authentication flow will start anew.
Authentication chains only support storing authentication sessions in memory. ForgeRock recommends switching to authentication trees with CTS-based or client-based authentication sessions.
For information about configuring AM with sticky load balancing, see Load Balancers.
In-Memory Sessions Specifics
AM does not support in-memory sessions for authenticated users.