JwtSessionManager
Configures session cookie and timeout settings for stateless sessions.
Set this as the "session" in the AdminHttpApplication (admin.json) for administrative requests
and the GatewayHttpApplication (config.json ) or individual Route for other requests.
The user-agent stores the session data, and PingGateway puts the session data in a JWT stored as one or more session cookies on the user-agent.
Learn more about session management in Sessions.
Usage
{
"name": string,
"type": "JwtSessionManager",
"config": {
"authenticatedEncryptionSecretId": configuration expression<secret-id>,
"encryptionMethod": configuration expression<string>,
"cookie": {
"name": configuration expression<string>,
"domain": configuration expression<string>,
"httpOnly": configuration expression<boolean>,
"path": configuration expression<string>,
"sameSite": configuration expression<enumeration>,
"secure": configuration expression<boolean>
},
"sessionTimeout": configuration expression<duration>,
"persistentCookie": configuration expression<boolean>,
"secretsProvider": SecretsProvider reference,
"skewAllowance": configuration expression<duration>,
"useCompression": configuration expression<boolean>
}
}Properties
authenticatedEncryptionSecretId
"authenticatedEncryptionSecretId": configuration expression<secret-id>, optional
The secret ID of the encryption key used to perform authenticated encryption on a JWT. Authenticated encryption encrypts data and signs it with HMAC in a single step.
This secret ID must point to a CryptoKey.
Authenticated encryption is achieved with a symmetric encryption key. The secret must refer to a symmetric key. Learn more in RFC 5116.
Default: PingGateway generates a default symmetric key for authenticated encryption. Consequently, PingGateway instances cannot share the JWT session.
encryptionMethod
"encryptionMethod": configuration expression<string>, optional
The algorithm to use for authenticated encryption. Learn about allowed encryption algorithms in RFC 7518: "enc" (Encryption Algorithm) Header Parameter Values for JWE.
Default: A256GCM
cookie
"cookie": object, optional
The cookie used to store the secure JWT.
Default: The cookie is treated as a host-based cookie.
sessionTimeout
"sessionTimeout": configuration expression<duration>, optional
The duration of a valid JWT session. The cookie expires after this duration.
The value must be greater than zero and at most 3650 days (approximately 10 years). If you set a longer duration, PingGateway truncates the duration to 3650 days.
Default: 30 minutes
persistentCookie
"persistentCookie": configuration expression<boolean>,optional
Whether the supporting cookie is persistent:
-
true: the supporting cookie is a persistent cookie. The user-agent returns persistent cookies until their expiration date or until they are deleted. -
false: the supporting cookie is a session cookie. PingGateway doesn’t specify an expiry date for session cookies. The user-agent deletes them when it considers the session terminated; for example, when the user closes the browser.
Default: false
secretsProvider
"secretsProvider": SecretsProvider reference, required
The SecretsProvider to query for the JWT session signing or encryption keys.
skewAllowance
"skewAllowance": configuration expression<duration>, optional
The duration to add to the validity period of a JWT to allow for clock skew between different servers.
A skewAllowance of 2 minutes affects the validity period as follows:
-
A JWT with an
iatof 12:00 is valid from 11:58 on the PingGateway clock. -
A JWT with an
exp13:00 is expired after 13:02 on the PingGateway clock.
Default: To support a zero-trust policy, the default skew allowance is zero.
useCompression
"useCompression": configuration expression boolean, optional
When true, PingGateway compresses the session JWT before setting it in a cookie.
| Compression can undermine the security of encryption. Evaluate this threat according to your use case before you enable compression. |
Default: false
Example
Learn more in Encrypt JWT sessions.