Enable Multivalue for Pre-Authn Cookie

Web agent uses the agent-authn-tx cookie to track the progress of authentication with AM and protect the request from replay attacks.

When this property is true, the agent creates a single cookie containing records to identify all concurrent authentication requests to AM.

In environments with lots of concurrent requests, or where the protected URLs are long, the cookie can reach the maximum size supported by the browser. When this happens, new authentication requests fail and the agent issues a 403 HTTP message to the user.

When this property is false, the agent creates a pre-authentication cookie for each authentication request to AM, with the name of agent-authn-tx-string.

In some environments, this will create a large number of cookies. If you have tests in your environment that make multiple requests to AM from the same browser, you may find intermittent 403 HTTP messages; browsers and have a limit of how many cookies they can handle.

Something similar happens to web servers; they have a limit of how many headers (cookies) they can manage at one time. Set the property to true if you find that creating too many cookies is having an impact on your environment.

Default: false

Property name

org.forgerock.openam.agents.config.multivalue.pre.authn.cookies

Property aliases

org.forgerock.openam.agents.config.multivalue.pre.authn.cookies (since 5.7)

Type

Boolean: true returns true; all other strings return false.

Bootstrap property

Yes

Required property

No

Restart required

No

AM console tab

SSO (Available in the console from AM 7)