Java Policy Agents 2023.3

Pre-Authentication Cookie Name

The name of the pre-authentication cookie. This cookie tracks the progress of authentication with AM, and protects requests from replay attacks. It contains the following information:

  • URL of the original request

  • HTTP mode

  • Secure ID (subsequently baked into the nonce of the returned JWT)

  • Relevant ACR information

  • Transaction ID

  • Expiry time configured by Max Age of Pre-Authentication Cookie

(Before Java Agent 5.7), The agent creates a single cookie containing records to identify all concurrent authentication requests to AM. In environments with lots of concurrent requests, or where the protected URLs are long, the cookie can reach the maximum size supported by the browser. When this happens, new authentication requests fail and the agent issues a 403 HTTP message to the user.

(Java Agent 5.7 and later versions) The agent can optionally create a cookie for each authentication request to AM. In some environments, this creates a large number of cookies. If you have tests in your environment that make multiple requests to AM from the same browser, you may find intermittent 403 HTTP messages; browsers can limit how many cookies they handle.

Configure the cookie name as follows:

  • To use one cookie for all concurrent authentication requests to AM, configure as a string. For example, org.forgerock.agents.authn.cookie.name=cookie-name.

  • To use one cookie for each authentication request to AM, configure as %n, or as %n before, in the middle of, or after a string. When the agent creates the cookie, it translates the string %n into a unique identifier. For example:

    • org.forgerock.agents.authn.cookie.name=%n

    • org.forgerock.agents.authn.cookie.name=%n-cookie-name

    • org.forgerock.agents.authn.cookie.name=cookie-%n-name

    • org.forgerock.agents.authn.cookie.name=cookie-name-%n

The agent compresses and then signs the cookie.

Property name

org.forgerock.agents.authn.cookie.name

Aliases

com.sun.identity.agents.config.cdsso.cookie.name
  Introduced in Java Agent 5.0
  Recognized from AM 7

org.forgerock.agents.authn.cookie.name
  Introduced in Java Agent 5.6

Type

String

Default

amFilterCDSSORequest

Bootstrap property

No

Required property

No

Restart required

No

Local configuration file

AgentConfig.properties

AM console

Tab: Global (from AM 7)

Title: Pre-Authentication Cookie Name

Legacy title: Pre-Authenticated Cookie Name

Copyright © 2010-2023 ForgeRock, all rights reserved.