Access Management 7.2.2

Additional cookie security

Although the session cookie is the most important cookie to keep track of when securing AM, there are other points you must consider, such as:

  • Which cookie are you using for sticky load balancing?

    By default, AM creates the amlbcookie cookie and sets it to the ID of the instance that first responded to a request. You should change the name of this cookie to something unique in your environment.

  • Which other cookies, relevant for your environment, interact with AM or are sent to AM as part of a chain of requests?

The following table summarizes the tasks and information to review to manage cookie security that is not strictly related to the session cookie:

Task Resources

Enable support for SameSite rules

Configure AM to apply SameSite rules, such that you can declare that your cookies are restricted to a first-party or a same-site context.

Review the secure cookie filter

AM provides a filter that upgrades cookies to secure cookies if the conditions are met.

Change the name of the sticky load balancing cookie

Name the cookie something relevant and unique for your environment.

Copyright © 2010-2024 ForgeRock, all rights reserved.