[OpenAM] Session cookie
VERAC Maxime
Maxime.VERAC at solucom.fr
Fri Dec 10 04:09:38 EST 2010
Hello everybody,
I understand that the session cookie is just a key to allow the agent to
retrieve the pertaining session data, but I need to study the strength
of this key to make sure that nobody is able to forge such a cookie and
then get a valid session (I know that I can link a cookie with a source
IP but it's not possible in my use case).
(by the way, the chapter 5 of OpenSSO Technical Overview asserts the
following : "The session token, also referred to as a sessionID and
programmatically as an SSOToken, is an encrypted, unique string that
identifies the session data structure"). Is this assumption wrong?
Should I understand encrypted as base64 encoded?
Therefore, is anybody able to provide me with more information on how
this cookie is generated (size of the cookie, random generator...)?
Thank you in advance for your help!
Regards,
Maxime VERAC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/openam/attachments/20101210/90097590/attachment.html
More information about the OpenAM
mailing list