In-memory sessions reside in AM’s memory. AM sends clients a reference to the session, but the reference does not contain any of the session state information.
In-memory authentication sessions
In-memory authentication sessions are the only configuration supported for authentication chains. They are also configured by default for authentication trees after an upgrade.
During authentication, the authentication session reference is returned to the client after a call to the
authenticateendpoint and stored in the
authIdobject of the JSON response.
AM maintains the user’s authentication session in its memory. After the authentication flow has completed, AM performs the following tasks:
If the realm to which the user has authenticated is configured for server-side sessions, AM stores the user’s session in the CTS token store and deletes the authentication session from memory.
If the realm to which the user has authenticated is configured for client-side sessions, AM stores the user’s session in a cookie on the user’s browser and deletes the authentication session from memory.
Authentication session allowlisting is an optional feature that maintains a list of in-progress authentication sessions and their progress in the authentication flow to protect against replay attacks. For more information, see Authentication session allowlisting.
Deployments where AM stores authentication sessions in memory require sticky load balancing to route all requests pertaining to a particular authentication flow to the same AM server. If a request reaches a different AM server, the authentication flow will start anew.
Authentication chains only support storing authentication sessions in memory. ForgeRock recommends switching to authentication trees with server-side or client-side authentication sessions.
For information about configuring AM with sticky load balancing, see Load balancing.
AM does not support in-memory sessions for authenticated users.
Related information: Choose where to store sessions