--- title: Secure session cookies description: After authenticating an end user, AM stores their session (for client-side sessions), or a pointer to their session (for server-side sessions), in a cookie in the end user's browser. component: pingam version: 8.1 page_id: pingam:security:securing-cookies canonical_url: https://docs.pingidentity.com/pingam/8.1/security/securing-cookies.html keywords: ["Security", "Setup & Configuration", "Sessions"] page_aliases: ["security-guide:securing-cookies.adoc"] --- # Secure session cookies After authenticating an end user, AM stores their session (for client-side sessions), or a pointer to their session (for server-side sessions), in a cookie in the end user's browser. HTTPS communication already helps to keep cookies secure since the encrypted communication cannot be eavesdropped. However, there are other ways a malicious user can hijack a cookie. For example, cross-site scripting (XSS) and cross-site tracing (XST) involve injecting HTML or JavaScript on a legitimate website. By using JavaScript code, the malicious user can steal the cookie directly from the browser. The following table summarizes the tasks you need to perform to protect session cookies: | Task | Resources | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | | **Configure the `HttpOnly` flag**This flag ensures that the session cookie is transmitted over an HTTP or HTTPS channel only, protecting your environment against most XSS attacks. | [HttpOnly session cookies](sec-rest-httponly.html) | | **Configure the `secure` flag**This flag ensures the session cookie is only transmitted over HTTPS channels such that the session cookie is not carried over insecure HTTP redirections. | [Secure cookies by default](configuring-secure-cookies.html) | | **Choose a session cookie name**Change the name of the session cookie from the default of `iPlanetDirectoryPro`. | [Change the session cookie name](change-name-of-SSO-cookie.html) | | **Restrict CDSSO tokens to protect them against hijacking**By default, AM provides a CDSSO tokens valid for the appropriated realms. Restrict tokens so that AM issues different tokens for different realms. | [Restrict tokens for CDSSO session cookies](enable-cdsso-cookie-hijacking-protection.html) | | **Use host-only cookies**Because host-only cookies are more secure than domain cookies, you *should* use host-only cookies unless you have a good business case for using domain cookies. | [Cookie Domains](../setup/services-configuration.html#cookie-domains) | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Client-side sessions are more vulnerable to hijacking, since they contain all the session information. To configure additional security measures, see [Client-side session security](session-state-configure-cookie-security.html). |