Client-side sessions
PingOne Advanced Identity Cloud creates sessions either as client-side sessions or server-side sessions. The session location depends on the session configuration.
For client-side sessions, PingOne Advanced Identity Cloud returns the entire session state to the client in a session cookie after a request. The cookie is then passed back to PingOne Advanced Identity Cloud with each subsequent request.
Client-side authentication sessions
PingOne Advanced Identity Cloud uses authentication sessions to manage authentication journeys before a user has authenticated successfully.
Authentication sessions are configured as client-side sessions by default.
During authentication, the authentication session state is returned to the client
after each call to the authenticate
endpoint, and stored in the authId
object of the JSON response.
Storing authentication sessions on the client lets PingOne Advanced Identity Cloud handle the authentication flow at any point in time without load balancing requirements.
For realms configured for server-side sessions, PingOne Advanced Identity Cloud attempts to invalidate client-side authentication sessions after creating the server-side sessions.
Client-side sessions
PingOne Advanced Identity Cloud creates sessions after users' authentication flow have completed successfully.
For browser-based clients that use client-side sessions, PingOne Advanced Identity Cloud sets a cookie in the browser that contains the session state. When the browser returns the cookie, PingOne Advanced Identity Cloud decodes the session state from the cookie.
For REST-based clients, PingOne Advanced Identity Cloud sends the cookie in a header.
Session denylisting is an optional feature that maintains a list of logged out client-side sessions in the CTS token store. For more information about session termination and session denylisting, refer to Session termination.
Secure client-side sessions
For improved security, you should configure PingOne Advanced Identity Cloud to sign and/or encrypt client-side sessions and client-side authentication sessions for security reasons. Because decrypting and verifying the session can be an expensive operation to perform on each request, PingOne Advanced Identity Cloud caches the decrypt sequence in memory to improve performance.