Client-Based Sessions

Client-based sessions are those where AM returns session state to the client after each request, and require it to be passed in with the subsequent request.


Some features are not supported in realms configured for client-based sessions. For more information, see Limitations When Using Client-Based Sessions.

You should configure AM to sign and/or encrypt client-based sessions and authentication sessions for security reasons. As decrypting and verifying the session may be an expensive operation to perform on each request, AM caches [1] the decrypt sequence in memory to improve performance.

For more information about configuring client-based security, see "Configuring Client-Based Session Security".

  • Client-Based Authentication Sessions Specifics

    Client-based authentication sessions are supported for authentication trees only, and are configured by default in new installations.

    During authentication, authentication session state is returned to the client after each call to the authenticate endpoint and stored in the authId object of the JSON response.

    After the authentication flow has completed, if the realm to which the user has authenticated is configured for CTS-based sessions, AM creates the user's session in the CTS token store. Then, AM attempts to invalidate the client-based authentication session.

    Storing authentication sessions on the client allows any AM server to handle the authentication flow at any point in time without load balancing requirements.

    Authentication session whitelisting is an optional feature that maintains a list of in-progress authentication sessions and their progress in the authentication flow to protect against replay attacks. For more information, see "Configuring Authentication Session Whitelisting".

  • Client-Based Sessions Specifics

    For browser-based clients, AM sets a cookie in the browser that contains the session state. When the browser transmits the cookie back to AM, AM decodes the session state from the cookie. For REST-based clients, AM sends the cookie in a header. For more information about session cookies, see Session Cookies and Session Security.

    Session blacklisting is an optional feature that maintains a list of logged out client-based sessions in the CTS token store. For more information about session termination and session blacklisting, see "Understanding Session Termination" and "Configuring Client-Based Session Blacklisting".

Related information:

Read a different version of :