Configuring the Cookie Domain
Configure AM's cookie domain to ensure only users and entities from trusted domains can be authenticated.
By default, the AM installer sets the cookie domain based on the fully qualified hostname of the server on which it installs AM, such as openam.example.com
.
After installation, you may want to change the cookie domain to example.com
so AM can communicate with any host in the sub-domain.
Log in to the AM console as an administrator user, for example,
amAdmin
.Navigate to Configure > Global Services > Platform > Cookie Domain.
In the Cookie Domain field, set the list of domains into which AM should write cookies. Consider the following points:
Configure as many cookie domains as your environment requires. For example, for the realms configured with DNS aliases[1]. Browsers ignore any cookies that do not match the current domain to ensure the correct one is used.
If you do not specify any cookie domain, AM uses the fully qualified name of the server, which implies that a host cookie is set rather than a domain cookie.
When configuring AM for Cross-Domain Single Sign-On (CDSSO), you must protect your AM deployment against cookie hijacking by setting a host cookie rather than a domain cookie. For more information, see "Enabling Restricted Tokens for CDSSO Session Cookies".
Do not configure a top-level domain as your cookie domain; browsers will reject them. Top-level domains are browser-specific. For example, Firefox considers special domains like Amazon's web service (for example, ap-southeast-2.compute.amazonaws.com) to be a top-level domain [2].
Do not configure the cookie domain such that it starts with a dot (.) character. For example, configure
example.com
instead of.example.com
.If you are using Wildfly as the AM web container with multiple cookie domains, you must set the advanced server property,
com.sun.identity.authentication.setCookieToAllDomains
, tofalse
.Set this property in the AM console under Configure > Server Defaults > Advanced.
Save your changes.
Restart AM or the container where it runs.
[1] For more information, see "To Configure DNS Aliases for Accessing a Realm".
[2] For a list of effective top-level domains, see https://publicsuffix.org/list/effective_tld_names.dat.