AM 7.2.2

Secure sessions

Cookie hijacking is not the only danger to sessions. Consider the following non-exhaustive list of scenarios that can result in a compromised account:

  • End users entering their data in a malicious website thinking it is the authentic one.

  • End users leaving their computers unattended while their session is open.

  • End users logging in from completely different locations or devices than their usual.

The following table summarizes the tasks you need to perform to keep sessions secure:

Task Resources

Settings related to session termination

Understand session termination, and configure the session time-to-live and idle timeout.

Ensuring sessions expire within a reasonable time helps you protect your environment against impersonation attacks.

Lock accounts after failed login attempts

Configure account lockout to protect your environment against brute-force or dictionary attacks.

Limit the number of active user sessions

Prevent users from logging in from more than two devices as a time, for example. This helps you mitigate against cases where user accounts have been compromised.

Protect client-side sessions

AM offers additional security measures to protect client-side sessions. They are more vulnerable to hijacking than server-side sessions because they contain all the session information in them.

Protect authentication sessions

Configure authentication session allowlisting to protect these sessions against replay attacks.

Copyright © 2010-2023 ForgeRock, all rights reserved.