Identity Cloud

Introduction to sessions and cookies

A session is a token that represents an exchange of information, usually interactive, between AM and a user or identity.

AM creates an authentication session to track the user’s authentication progress through an authentication journey.

Once the user has authenticated, AM creates a session to manage the user’s or entity’s access to resources.

Authentication session allowlisting is an optional feature that maintains a list of in-progress authentication sessions and their progress in the authentication flow to protect against replay attacks.

For more information about the allowlisting setting, see Trees.

Sessions require the user or client to be able to hold on to cookies. AM issues a cookie to the user or entity regardless of the session location for client-side and server-side sessions.

For sessions stored in the CTS token store, the cookie contains a reference to the session in the CTS token store and several other pieces of information.

For sessions stored on the client, the cookie contains all the information that would be held in the CTS token store.

AM provides a unique, pseudo-random session cookie name for each tenant. Throughout the AM documentation, the tenant session cookie name is referred to as <session-cookie-name> to denote this generated value.

Session storage location is configured at the realm level. The following table illustrates where AM can store sessions:

Table 1. Session Storage Location
In the CTS token store On the client

Authentication sessions

✔ (Default)


✔ (Default)

Session storage location can be heterogeneous within the same AM deployment to suit the requirements of each of your realms.

Copyright © 2010-2022 ForgeRock, all rights reserved.