PingGateway 2024.11

JwtSessionManager

Configures session cookie and timeout settings for stateless sessions. Set this as the "session" in the AdminHttpApplication (admin.json) for administrative requests and the GatewayHttpApplication (config.json ) or individual Route for other requests.

The user-agent stores the session data, and PingGateway puts the session data in a JWT stored as one or more session cookies on the user-agent.

Learn more about session management in Sessions.

Usage

{
  "name": string,
  "type": "JwtSessionManager",
  "config": {
    "authenticatedEncryptionSecretId": configuration expression<secret-id>,
    "encryptionMethod": configuration expression<string>,
    "cookie": {
      "name": configuration expression<string>,
      "domain": configuration expression<string>,
      "httpOnly": configuration expression<boolean>,
      "path": configuration expression<string>,
      "sameSite": configuration expression<enumeration>,
      "secure": configuration expression<boolean>
    },
    "sessionTimeout": configuration expression<duration>,
    "persistentCookie": configuration expression<boolean>,
    "secretsProvider": SecretsProvider reference,
    "skewAllowance": configuration expression<duration>,
    "useCompression": configuration expression<boolean>
  }
}

Properties

authenticatedEncryptionSecretId

"authenticatedEncryptionSecretId": configuration expression<secret-id>, optional

The secret ID of the encryption key used to perform authenticated encryption on a JWT. Authenticated encryption encrypts data and signs it with HMAC in a single step.

This secret ID must point to a CryptoKey.

Authenticated encryption is achieved with a symmetric encryption key. The secret must refer to a symmetric key. Learn more in RFC 5116.

Default: PingGateway generates a default symmetric key for authenticated encryption. Consequently, PingGateway instances cannot share the JWT session.

encryptionMethod

"encryptionMethod": configuration expression<string>, optional

The algorithm to use for authenticated encryption. Learn about allowed encryption algorithms in RFC 7518: "enc" (Encryption Algorithm) Header Parameter Values for JWE.

Default: A256GCM

"cookie": object, optional

The cookie used to store the secure JWT.

Default: The cookie is treated as a host-based cookie.

sessionTimeout

"sessionTimeout": configuration expression<duration>, optional

The duration of a valid JWT session. The cookie expires after this duration.

The value must be greater than zero and at most 3650 days (approximately 10 years). If you set a longer duration, PingGateway truncates the duration to 3650 days.

Default: 30 minutes

persistentCookie

"persistentCookie": configuration expression<boolean>,optional

Whether the supporting cookie is persistent:

  • true: the supporting cookie is a persistent cookie. The user-agent returns persistent cookies until their expiration date or until they are deleted.

  • false: the supporting cookie is a session cookie. PingGateway doesn’t specify an expiry date for session cookies. The user-agent deletes them when it considers the session terminated; for example, when the user closes the browser.

Default: false

secretsProvider

"secretsProvider": SecretsProvider reference, required

The SecretsProvider to query for the JWT session signing or encryption keys.

skewAllowance

"skewAllowance": configuration expression<duration>, optional

The duration to add to the validity period of a JWT to allow for clock skew between different servers.

A skewAllowance of 2 minutes affects the validity period as follows:

  • A JWT with an iat of 12:00 is valid from 11:58 on the PingGateway clock.

  • A JWT with an exp 13:00 is expired after 13:02 on the PingGateway clock.

Default: To support a zero-trust policy, the default skew allowance is zero.

useCompression

"useCompression": configuration expression boolean, optional

When true, PingGateway compresses the session JWT before setting it in a cookie.

Compression can undermine the security of encryption. Evaluate this threat according to your use case before you enable compression.

Default: false

Example

Learn more in Encrypt JWT sessions.

Copyright © 2010-2024 ForgeRock, all rights reserved.