--- title: InMemorySessionManager description: Configures the session cookie and timeout settings for in-memory sessions. component: pinggateway version: 2026 page_id: pinggateway:reference:InMemorySessionManager canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/InMemorySessionManager.html revdate: 2026-02-23T12:00:00Z section_ids: usage: Usage properties: Properties more_information: More information --- # InMemorySessionManager Configures the session cookie and timeout settings for in-memory sessions. Set this as the `"session"` in the [AdminHttpApplication (`admin.json`)](AdminHttpApplication.html) for administrative requests and the [GatewayHttpApplication (`config.json` )](GatewayHttpApplication.html) or individual [Route](Route.html) for other requests. PingGateway stores the session data and sets a session cookie on the user-agent to reference the session. Learn more about session management in [PingGateway sessions](../about/about-sessions.html). ## Usage ```none { "name": string, "type": "InMemorySessionManager", "config": { "timeout": configuration expression, "cookie": { "name": configuration expression, "domain": configuration expression, "httpOnly": configuration expression, "path": configuration expression, "sameSite": configuration expression, "secure": configuration expression } } } ``` ## Properties * `"timeout"`: *configuration expression<[duration](preface.html#definition-duration)>, optional* The duration of a valid session. The cookie expires after this duration. Default: 30 minutes * `"cookie"`: *[object](preface.html#definition-object), optional* The cookie used to store the reference to the session. A cookie with default settings. * `"name"` *configuration expression<[string](preface.html#definition-string)>, optional* The name of the cookie stored on the user-agent. Change the default name to improve security. Default: `IG_SESSIONID` * `"domain"` *configuration expression<[string](preface.html#definition-string)>, optional* The domain name for servers that can access the cookie. Only set the domain if the user-agent can return cookies to servers in the domain on its next hop. Default: The fully qualified hostname of the user-agent's next hop. * `"httpOnly"`: *configuration expression<[boolean](preface.html#definition-boolean)>, optional* Set to `true` to mitigate the risk of client-side scripts accessing protected cookies. Default: `true` * `"path"` *configuration expression<[string](preface.html#definition-string)>, optional* The URL path that must exist in the requested URL for PingGateway to use the cookie. Default: `/` - `"sameSite"`: *configuration expression<[enumeration](preface.html#definition-enumeration)>, optional* Options to manage the circumstances in which a cookie is sent to the server. Use one of the following values to reduce the risk of CSRF attacks: * `STRICT`: Send the cookie only if the request was initiated from the cookie domain. Not case-sensitive. Use this value to reduce the risk of cross-site request forgery (CSRF) attacks. * `LAX`: Send the cookie only with GET requests in a first-party context, where the URL in the address bar matches the cookie domain. Not case-sensitive. Use this value to reduce the risk of cross-site request forgery (CSRF) attacks. * `NONE`: Send the cookie whenever a request is made to the cookie domain. Not case-sensitive. With this setting, set `"secure": true` to prevent browsers from rejecting the cookie. Learn more in [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite). Default: `LAX` - `"secure"`: *configuration expression<[boolean](preface.html#definition-boolean)>, optional* Set to `true` to limit the scope of the cookie to secure channels. When `true`, the user-agent can return cookies only over HTTPS. The user-agent must be connected to its next hop by HTTPS. Default: `false` ## More information [org.forgerock.openig.session.cookie.InMemorySessionManagerHeaplet](../_attachments/apidocs/org/forgerock/openig/session/cookie/InMemorySessionManagerHeaplet.html)