How To

How do I secure the JWT session cookie used by OpenIDM 4?

Last updated Jan 5, 2021

The purpose of this article is to provide information on securing the JWT session cookie used by OpenIDM. This cookie is used to maintain sessions, which are stored in the browser.


This article has been archived and is no longer maintained by ForgeRock.

Securing the JWT session cookie


This information applies to all versions but is included in the documentation as of OpenIDM 4.5: Integrator's Guide › Supported Session Module.

You can secure the JWT session cookie by making the cookie httponly and secure as follows:

  1. Edit the authentication.json file (located in the /path/to/openidm/conf directory) and add the following properties to the JWT Session Module configuration: "isHttpOnly" : true, "isSecure" : true For example, the configuration for this module would now look similar to this: "sessionModule" : { "name" : "JWT_SESSION", "properties" : { "keyAlias" : "openidm-localhost", "privateKeyPassword" : "&{openidm.keystore.password}", "keystoreType" : "&{openidm.keystore.type}", "keystoreFile" : "&{openidm.keystore.location}", "keystorePassword" : "&{openidm.keystore.password}", "maxTokenLifeMinutes" : "120", "tokenIdleTimeMinutes" : "30", "sessionOnly" : true, "isHttpOnly" : true, "isSecure" : true }
  2. Check the cookie using your browser's developer tool to ensure the HttpOnly and Secure flags are set.

See Also

Integrator's Guide › Securing & Hardening OpenIDM

Integrator's Guide › Sessions and the JWT Cookie

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.