Identity Cloud

Introduction to sessions and cookies

Identity Cloud uses two types of tokens that represent an exchange of information, usually interactive, between Identity Cloud and a user or entity:

  • Authentication sessions, which Identity Cloud uses to manage authentication journeys before a user has authenticated successfully.

  • Sessions, which Identity Cloud creates after a user has authenticated successfully. Sessions let Identity Cloud manage the user’s or entity’s access to resources.

Sessions and cookies

Sessions require the user or client to be able to hold on to cookies.

Identity Cloud issues a cookie to the user or entity at the beginning of an authentication journey. This cookie corresponds to an authentication session.

Identity Cloud issues another cookie to the user or entity after successful authentication. This cookie corresponds to a session.

The content in these cookies differs depending on the session type and location.

Session location

Both authentication sessions and sessions can be stored on the client or on the server.

Sessions stored on the server are called server-side sessions. Server-side sessions are stored in a database internal to Identity Cloud called the Core Token Service (CTS) token store.

Sessions stored on the client are called client-side sessions. Client-side sessions are stored in the session cookie.

Regardless of the session location, Identity Cloud issues a cookie to the user or entity; however, the content in the session cookies differs depending on the session’s location:

  • Server-side sessions contain a reference to the session’s location in the CTS token store and several other pieces of information. The details about server-side sessions are maintained in the CTS token store.

  • Client-side session cookies contain all the details about the session.

Because server-side sessions only contain references to the locations where the session details are stored, while client-side cookies contain all the details about sessions, client-side session cookies are significantly larger than server-side session cookies.

Session location is configurable by realm. The following table illustrates where Identity Cloud can store sessions:

Table 1. Session storage location
In the CTS token store On the client

Authentication sessions

✔ (Default)


✔ (Default)

Session storage location can differ per realm, to suit specific realm requirements.

For more information about configuring session locations, refer to:

Identity Cloud provides a unique, pseudo-random session cookie name for each tenant. Throughout this documentation, the tenant session cookie name is referred to as <session-cookie-name> to denote this generated value.

  1. In the Identity Cloud admin UI, open the Tenant menu (upper right).

  2. Select Tenant Settings.

  3. Select Global Settings.

  4. View or copy the Cookie field value. This is used in HTTP header values in Identity Cloud API requests; for example, in the OAuth 2.0 authorization grant flow.

Authentication session allowlist

Authentication session allowlisting is an optional feature that maintains a list of in-progress authentication sessions and their progress in the authentication flow to protect against replay attacks.

For more information about the allowlisting setting, refer to Trees.

Copyright © 2010-2023 ForgeRock, all rights reserved.