Access Management 7.3.2

Client-side session security

AM can issue server-side sessions, which contain a reference to the real session stored in the CTS store, or client-side sessions, which contain all the information that would be held in the CTS store.

While both types are susceptible to cookie hijacking, client-side sessions are even more vulnerable, since they contain all the information for the session. Therefore, the malicious user could tamper with the session data to their benefit.

When using client-side sessions and client-side authentication sessions, you should configure AM to sign and/or encrypt the JWT containing session information:

Client-side sessions and client-side authentication sessions share the same encryption and signing configuration.

To ensure that the client-side session cookie size does not surpass the browser supported size, web agents and Java agents do not support both signing and encrypting the session cookie.

For more information, refer to Client-side session security and agents.

Configure the JWT signature

Configure a JWT signature to prevent malicious tampering of client-side session and authentication session JWTs.

Perform the following steps to configure the JWT signature:

  1. Go to Configure > Global Services > Session > Client-Side Sessions.

  2. From the Signing Algorithm Type drop-down menu, choose a suitable algorithm for your environment.

    The default value is HS256.

    Do not sign the JWT if you plan to encrypt it with the Direct AES Encryption algorithm, because the signature will be redundant. To disable JWT signing, perform the following steps:

    1. Go to Configure > Server Defaults > Advanced.

    2. Set the org.forgerock.openam.session.stateless.signing.allownone property to true.

      How do I configure advanced server properties?
      • To configure advanced server properties for all instances of the AM environment, go to Configure > Server Defaults > Advanced in the AM admin UI.

      • To configure advanced server properties for a particular instance, go to Deployment > Servers > Server Name > Advanced.

      If the property you want to add or edit is already configured, click on the pencil () button to edit it. When you are finished, click on the tick () button.

      Click Save Changes.

    3. Go to Configure > Global Services > Session > Client-Side Sessions.

    4. From the Signing Algorithm Type drop-down list, choose NONE.

    5. Click Save Changes.

  3. Configure a secret relevant to the algorithm you chose:

    • If you specified an HMAC signing algorithm, change the value in the Signing HMAC Shared Secret field if you do not want to use the generated default value.

      Click Save Changes.

    • If you specified the RS256 signing algorithm, or any of the elliptic curve algorithms, configure a suitable secret in the am.global.services.session.clientbased.signing secret ID. You can only configure this secret at a global level.

      For more information about configuring secrets, refer to Secret stores.

For detailed information about Session Service configuration attributes, refer to the session entries.

Configure JWT encryption

Configure JWT encryption to prevent man-in-the-middle attackers from accessing a user’s session details, and to prevent end users from examining the content in the JWT.

Perform the following steps to encrypt the JWT:

  1. Go to Global Services > Session > Client-Side Sessions.

  2. From the Encryption Algorithm drop-down list, choose a suitable algorithm.

  3. If you chose the RSA algorithm, perform the following steps:

    • Configure a suitable secret in the am.global.services.session.clientbased.encryption secret ID.

      You can only configure this secret at a global level.

      For more information about configuring secrets, refer to Secret stores.

    • Configure one of the following paddings in the org.forgerock.openam.session.stateless.rsa.padding advanced server property:

      RSA1_5. RSA with PKCS#1 v1.5 padding.
      RSA-OAEP. RSA with OAEP and SHA-1.
      RSA-OAEP-256. RSA with OAEP padding and SHA-256.

      The default is RSA-OAEP-256.

    How do I configure advanced server properties?
    • To configure advanced server properties for all instances of the AM environment, go to Configure > Server Defaults > Advanced in the AM admin UI.

    • To configure advanced server properties for a particular instance, go to Deployment > Servers > Server Name > Advanced.

    If the property you want to add or edit is already configured, click on the pencil () button to edit it. When you are finished, click on the tick () button.

    Click Save Changes.

  4. If you chose the AES KeyWrapping or Direct AES Encryption algorithms, perform the following steps:

    • If you do not want to use the generated default value, enter a base64-encoded random key in the Encryption Symmetric AES Key field:

      • For direct encryption with AES-GCM, or for AES-KeyWrap with any content encryption method, the secret must be 128, 192, or 256 bits long.

      • For direct encryption with AES-CBC-HMAC, the secret must be 256, 384, or 512 bits long.

  5. Click Save Changes.

    • For the underlying content encryption method, configure one of the following encryption methods in the org.forgerock.openam.session.stateless.encryption.method advanced server property:

      A128CBC-HS256. AES 128-bit in CBC mode with HMAC-SHA-256-128 hash (HS256 truncated to 128 bits)
      A192CBC-HS384. AES 192-bit in CBC mode with HMAC-SHA-384-192 hash (HS384 truncated to 192 bits)
      A256CBC-HS512. AES 256-bit in CBC mode with HMAC-SHA-512-256 hash (HS512 truncated to 256 bits)
      A128GCM. AES 128-bit in GCM mode
      A192GCM. AES 192-bit in GCM mode
      A256GCM. AES 256-bit in GCM mode

      The default is A128CBC-HS256.

    How do I configure advanced server properties?
    • To configure advanced server properties for all instances of the AM environment, go to Configure > Server Defaults > Advanced in the AM admin UI.

    • To configure advanced server properties for a particular instance, go to Deployment > Servers > Server Name > Advanced.

    If the property you want to add or edit is already configured, click on the pencil () button to edit it. When you are finished, click on the tick () button.

    Click Save Changes.

  6. To compress the session state, choose Deflate Compression from the Compression Algorithm drop-down list.

    When set to Deflate compression, this option may lead to a possible vulnerability with session state information leakage. Because the session token compression depends on the data in the session, an attacker can vary one part of the session (for example, the username or some other property) and then deduce some secret parts of the session state by examining how the session compresses. You should evaluate this threat depending on your use cases before enabling compression and encryption together.

    By default, AM rejects compressed session JWTs that expand to a size larger than 32 KiB (32768 bytes). For more information, see Control the size of compressed JWTs.

For detailed information about Session Service configuration attributes, see the entries for Session.

Client-side session security and agents

To ensure that the client-side session cookie size does not surpass the browser supported size, web agents and Java agents do not support both signing and encrypting the session cookie. To configure agents with client-side sessions, implement one of the following configurations:

  • Configure signing and compression:

    1. Enable HS256 signing for the client-side session cookie.

      For more information, see Configure the JWT signature.

    2. Enable compression. Go to Configure > Global Services > Session > Client-Side Sessions and choose Deflate Compression from the Compression Algorithm drop-down list.

  • Configure encryption and compression:

    1. Set the org.forgerock.openam.session.stateless.signing.allownone advanced server property to true for all the instances in the environment.

    How do I configure advanced server properties?
    • To configure advanced server properties for all instances of the AM environment, go to Configure > Server Defaults > Advanced in the AM admin UI.

    • To configure advanced server properties for a particular instance, go to Deployment > Servers > Server Name > Advanced.

    If the property you want to add or edit is already configured, click on the pencil () button to edit it. When you are finished, click on the tick () button.

    Click Save Changes.

    1. Disable signing for the client-side session cookie. Go to Configure > Global Services > Session > Client-Side Sessions and choose NONE from the Signing Algorithm Type drop-down list.

    2. Enable Direct AES Encryption.

      For more information, see Configure JWT encryption.

    3. Enable compression. Go to Configure > Global Services > Session > Client-Side Sessions and choose Deflate Compression from the Compression Algorithm drop-down list.

Failure to set up client-side sessions correctly may cause unexpected errors when accessing a protected resource, such as blank pages and redirection loops.

Client-side sessions do not support restricted tokens. Therefore, web agents and Java agents configured in a realm configured for client-side sessions are not protected against cookie hijacking. ForgeRock recommends using web or Java agents with server-side sessions.