[OpenAM] Session cookie

VERAC Maxime Maxime.VERAC at solucom.fr
Fri Dec 10 09:09:38 GMT 2010

Hello everybody,


I understand that the session cookie is just a key to allow the agent to
retrieve the pertaining session data, but I need to study the strength
of this key to make sure that nobody is able to forge such a cookie and
then get a valid session (I know that I can link a cookie with a source
IP but it's not possible in my use case).


(by the way, the chapter 5 of OpenSSO Technical Overview  asserts the
following : "The session token, also referred to as a sessionID and
programmatically as an SSOToken, is an encrypted, unique string that
identifies the session data structure"). Is this assumption wrong?
Should I understand encrypted as base64 encoded?


Therefore, is anybody able to provide me with more information on how
this cookie is generated (size of the cookie, random generator...)?


Thank you in advance for your help!


Maxime VERAC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20101210/90097590/attachment.html>

More information about the OpenAM mailing list