PingGateway 2024.11

InMemorySessionManager

Configures the session cookie and timeout settings for stateful sessions.

Set this as the "session" in the AdminHttpApplication (admin.json) for administrative requests and the GatewayHttpApplication (config.json ) or individual Route for other requests. PingGateway stores the session data and sets a session cookie on the user-agent to reference the session.

Learn more about session management in Sessions.

Usage

{
  "name": string,
  "type": "InMemorySessionManager",
  "config": {
    "timeout": configuration expression<duration>,
    "cookie": {
      "name": configuration expression<string>,
      "secure": configuration expression<boolean>,
      "sameSite": configuration expression<enumeration>,
      "httpOnly": configuration expression<boolean>,
      "path": configuration expression<string>
    }
  }
}

Properties

"timeout": configuration expression<duration>, optional

The duration of a valid session. The cookie expires after this duration.

Default: 30 minutes

"cookie": object, optional

The cookie used to store the reference to the session.

A cookie with default settings.

"name" configuration expression<string>, optional

The name of the cookie stored on the user-agent. Change the default name to improve security.

Default: IG_SESSIONID

"secure": configuration expression<boolean>, optional

Set to true to limit the scope of the cookie to secure channels.

When true, the user-agent can return cookies only over HTTPS. The user-agent must be connected to its next hop by HTTPS.

Default: false

"sameSite": configuration expression<enumeration>, optional

Options to manage the circumstances in which a cookie is sent to the server. Use one of the following values to reduce the risk of CSRF attacks:

  • STRICT: Send the cookie only if the request was initiated from the cookie domain. Not case-sensitive.

    Use this value to reduce the risk of cross-site request forgery (CSRF) attacks.

  • LAX: Send the cookie only with GET requests in a first-party context, where the URL in the address bar matches the cookie domain. Not case-sensitive.

    Use this value to reduce the risk of cross-site request forgery (CSRF) attacks.

  • NONE: Send the cookie whenever a request is made to the cookie domain. Not case-sensitive.

    With this setting, set "secure": true to prevent browsers from rejecting the cookie. Learn more in SameSite cookies.

Default: LAX

"httpOnly": configuration expression<boolean>, optional

Set to true to mitigate the risk of client-side scripts accessing protected cookies.

Default: true

"path" configuration expression<string>, optional

The URL path that must exist in the requested URL for PingGateway to use the cookie.

Default: /

More information

org.forgerock.openig.session.cookie.InMemorySessionManager