Authentication, Single Sign ON, Session & Cookies

Different types of Authentication



FIDO (Fast Identity Online)


AuthN / SSO flow

  • The user tries to access a resource protected by an access manager (AM) and is intercepted by the agent.
  • AM looks for a valid user session.
  • If there is no valid session, the user is redirected to an authentication page.
  • The user enters his/her credentials or presents his certificate as the proof of identity.
  • If the authN is successful, a cookie with a session value is set in the browser.
  • After successful authN, a session value is generated and set with a sessionIdentifier.
  • Until the expiry of a session, the user can access different resources / services protected by the access manager within the scope of the user organization and the user is not prompted to re authenticate.
  • The user can end the session either through logout or upon session expiry (idle time).
  • The user doesn’t enter the right credentials, the authN is a failure. Access to resources is denied.

HTTP Cookie:

  1. One of the elements of the Cookie is the custom name=values pair which stores the sessionidentitifer=<session value>.
  2. HTTPOnly — This feature protects against CROS — cross site scripting vulnerabilities that can be exploited through Javascript or other scripting languages. When the HTTPonly flag is enabled, the header will be set to HTTPOnly flag in the token. If an invalid token is detected, then the token is ignored and auhtN continues.
  3. On Logout the set-cookie clears the session cookie in the browser.
  4. Secure — Secure keyword allows cookie access only over SSL, Non SSL access is denied.
  5. Domain — This value indicates how the cookies impact the domain, usually it affects the complete domain If you want to configure multiple subdomains, those subdomains have to be configured individually.
  6. Path — The path indicates the directory to which the cookie has an impact. The /sso folder or its sub folders.
  7. Expires — This holds the UTC formatted lifetime of a cookie.
  8. Set the httpOnly cookie in AM by logging into the console and Set the value of the com.sun.identity.cookie.httponly property to true.

Session Cookies

Cross Domain Single Sign On (CDSSO)

Grouping / Realm

Session Termination

CTS Session termination

  1. User logs out.
  2. Session idle time-out
  3. Admin terminates session
  4. Session exceeds the time-to live.

Session Upgrade:

Session Quotas /Constraints -

  • Deny user login
  • Delete Oldest session
  • Destroy an expired session or all previous sessions.

Java Agents/ WebAgents/ WebGates (OAM)




I am an Identity & Access Management Consultant. My tech. writing interests are IAM (Forgerock, Oracle IAM,OKTA ), DevOps (Jenkins,Dockers, K8s) & Blockchain.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

#BSCStation (BSCS) IDO 👉 Building A full stake Defi with NFT auction on binance smart chain .

Is Telegram messenger better than WhatsApp messenger?

LocalBitcoins’ CCO and CISO Talk Regulation, Security and Customer Privacy

{UPDATE} Super Bikes 2018 Hack Free Resources Generator

Today, every business interaction is a possible scam

Tough decision for Consumers to either never answer a phone call or to be scammed.

Do you hate Robo Calls? Here’s how to fix that . . .

Digital Safety Planning

Impossible Finance exploit root cause analysis

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mat David

Mat David

I am an Identity & Access Management Consultant. My tech. writing interests are IAM (Forgerock, Oracle IAM,OKTA ), DevOps (Jenkins,Dockers, K8s) & Blockchain.

More from Medium

Keycloak Social Login with Custom Login Page

Provision a Object Storage cluster with Leaseweb Dedicated Server API

Running E2E tests in a Dockerized Environment