How To
Archived
How do I secure the JWT session cookie used by OpenIDM 4?
The purpose of this article is to provide information on securing the JWT session cookie used by OpenIDM. This cookie is used to maintain sessions, which are stored in the browser.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Securing the JWT session cookie
Note
This information applies to all versions but is included in the documentation as of OpenIDM 4.5: Integrator's Guide › Supported Session Module.
You can secure the JWT session cookie by making the cookie httponly and secure as follows:
- Edit the authentication.json file (located in the /path/to/openidm/conf directory) and add the following properties to the JWT Session Module configuration: "isHttpOnly" : true, "isSecure" : true For example, the configuration for this module would now look similar to this: "sessionModule" : { "name" : "JWT_SESSION", "properties" : { "keyAlias" : "openidm-localhost", "privateKeyPassword" : "&{openidm.keystore.password}", "keystoreType" : "&{openidm.keystore.type}", "keystoreFile" : "&{openidm.keystore.location}", "keystorePassword" : "&{openidm.keystore.password}", "maxTokenLifeMinutes" : "120", "tokenIdleTimeMinutes" : "30", "sessionOnly" : true, "isHttpOnly" : true, "isSecure" : true }
- Check the cookie using your browser's developer tool to ensure the HttpOnly and Secure flags are set.
See Also
Integrator's Guide › Securing & Hardening OpenIDM
Integrator's Guide › Sessions and the JWT Cookie
Related Training
N/A
Related Issue Tracker IDs
N/A