--- title: Configuring web session management settings description: Configure web session management settings in PingAccess. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_web_session_management_settings canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_web_session_management_settings.html revdate: December 3, 2024 section_ids: steps: Steps example: Example: choose-from: Choose from: --- # Configuring web session management settings Configure web session management settings in PingAccess. ## Steps 1. Click **Access**, then go to **Web Sessions > Web Session Management**. 2. In the **Web Session Management** section, select **Key Roll Enabled** to enable key rolling using the interval specified below. 3. Enter the **Key Roll Interval**, in hours, to specify how often you want to roll the keys (the default is `24` hours). Key rollover updates keys at regular intervals to ensure the security of signed and encrypted PingAccess tokens. 4. In the **Issuer** field, enter the published, unique identifier to be used with the web session (the default is PingAccess). ### Example: Set the issuer to a value that more closely represents your company. PingAccess inserts this value as the `iss` claim within the PingAccess token 5. Select the **Signing Algorithm** used to protect the integrity of the PingAccess token (the default is `ECDSA using P-256 Curve`). PingAccess uses the algorithm when creating signed PingAccess tokens and when verifying signed tokens in a request from a user's browser. The algorithm is also used for signing tokens in token mediation use cases when PingAccess tokens are encrypted 6. Select the **Encryption Algorithm** used to encrypt and protect the integrity of the PingAccess Token (the default is `AES 128 with CBC and HMAC SHA 256`). PingAccess uses the algorithm when creating encrypted PingAccess tokens and when verifying them from a user's browser. Higher encryption levels are available if the administrative console supports it. To enable higher encryption levels, update the administrative console Java Runtime Environment (JRE) *(tooltip: \
\

A software layer that provides the class libraries and resources needed for a Java program to run.\

\
)* to support unlimited strength security policy. In a clustered environment, add the security policy changes to the engines as well as the administrative console for the cluster. 7. Enter the browser **Cookie Name** that contains the PingAccess token (the default is `PA`). 8. In the **Session State Cookie Name** field, enter a name for the browser cookie to contain session state attributes. 9. In the **Login State Cookie Name** field, enter a name for the browser cookie that contains the sign-on state. This temporary cookie tracks the number of sign-on reattempts that occur if you've configured a value for **Max Login Retries** in [Advanced web session settings](pa_advanced_web_session_settings.html). PingAccess clears the cookie after a sign-on attempt succeeds. Applicable only when the **OpenID Connect Login Type** is **Code**. Learn more in step 6 of [Creating web sessions](pa_creating_web_sessions.html). The default value is `PA_LOGIN`. | | | | - | ---------------------------------------------------------------------------------------------------------------------------- | | | Make sure to configure different values for **Cookie Name**, **Session State Cookie Name**, and **Login State Cookie Name**. | 10. In the **Update Token Window (s)** field, enter the number of seconds before the idle timeout is updated in the PingAccess token. When this time window expires, PingAccess will reissue a new PingAccess cookie. 11. In the **Nonce Cookie Time to Live (m)** field, enter the number of minutes for which the nonce cookie is valid. The default value is `5`. PingAccess deletes cookies that are older than this threshold. 12. In the **Nonce SameSite Cookie** list, select a level of restriction for when cookies can be sent in a cross-site request: ### Choose from: * **Lax**: The cookie should be sent on initial navigation to a site. It can be sent in same-site requests but not cross-site requests. * **Strict**: The cookie can't be sent in top-level cross-site requests. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The `SameSite=Strict` attribute provides greater protection against cross-site request forgery (CSRF), but can't fully prevent it. Use the `SameSite=Strict` attribute as part of a more comprehensive CSRF protection strategy. Learn more in section 8.8 in [IETF RFC 6265: Cookies: HTTP State Management Mechanism](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-8.8). | * **None**: The cookie can be used across different sites without restriction. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To prevent browser compatibility issues, if PingAccess detects that the user's browser matches any of the values set in the `pa.websession.cookie.sameSiteExcludedUserAgentPatterns` property in the `run.properties` file, PingAccess doesn't add the `SameSite=None` attribute to cookies. | * **Disabled**: PingAccess doesn't set the `SameSite` attribute. The browser determines how to handle the cookie. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | A browser issue can prevent sign on if the `SameSite Cookie` attribute is set. Learn more in the [PingAccess 7.0 SameSite cookie upgrade issue release note entry](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-70.pdf#page=13) \[PDF]. | * **Legacy** (default): Maintain the same behavior as in PingAccess 8.1 and earlier: * PingAccess sets the nonce cookie without a `SameSite` setting if either: * The web session is set to the **Disabled** `SameSite` setting. * The user-agent matches one of the `pa.websession.cookie.sameSiteExcludedUserAgentPatterns`. * PingAccess sets the nonce cookie to **SameSite=None** if: * The web session is set to any `SameSite` setting other than **Disabled** and does not match one of the `pa.websession.cookie.sameSiteExcludedUserAgentPatterns`. 13. Click **Save**.