AM 7.4.0

Secure sessions

Cookie hijacking is not the only danger to sessions. Consider the following non-exhaustive list of scenarios that can result in a compromised account:

  • End users entering their data in a malicious website thinking it is the authentic one.

  • End users leaving their computers unattended while their session is open.

  • End users logging in from completely different locations or devices than usual.

The following table summarizes the tasks you should perform to keep sessions secure:

Task Resources

Settings related to session termination

Understand session termination, and configure the session time-to-live and idle timeout.

Ensuring sessions expire within a reasonable time helps you protect your environment against impersonation attacks.

Lock accounts after failed login attempts

Configure account lockout to protect your environment against brute-force or dictionary attacks.

Limit the number of active user sessions

Prevent users from logging in from more than two devices as a time, for example. This helps you mitigate against cases where user accounts have been compromised.

Protect client-side sessions

AM offers additional security measures to protect client-side sessions. They are more vulnerable to hijacking than server-side sessions because they contain all the session information in them.

Protect authentication sessions

Configure authentication session allowlisting to protect these sessions against replay attacks.

Delete sessions when users change their passwords

When a user changes their password, existing sessions are not deleted automatically. You should implement a mechanism to invalidate existing sessions on password reset.

Copyright © 2010-2024 ForgeRock, all rights reserved.