[OpenAM] Session cookie

Steve Ferris steve.ferris at forgerock.com
Fri Dec 10 10:15:03 GMT 2010

The session cookie is made up from two parts:

Session ID
Server Identifier

The Session ID

The session ID is a SHA1-PRNG generated secure hash. This hash references the session on the authoritative server. In order to forge the cookie they would need to guess a PRNG that matched exactly to a valid session with the same hash on a server. This would be next to impossible, it would be easier to try and steal the cookie value rather than try and generate a valid one from scratch.

The Server Identifier varies depending on if the server is in a site and if the site is running session failover. The whole server identifier is base64 encoded. It is made up like this


S1 is server instance, the server where the session resides
SI is the Site Identifier, the site where the server resides
SK is the storage key, used during session failover.
Steve Ferris : ForgeRock AS : e: steve.ferris at forgerock.com
t: +44 (0)7813 709285 f: +44 (0)7971 042421 w: forgerock.com
OpenAM, the new name for OpenSSO

On 10 Dec 2010, at 9:09am, VERAC Maxime wrote:

> Hello everybody,
> I understand that the session cookie is just a key to allow the agent to retrieve the pertaining session data, but I need to study the strength of this key to make sure that nobody is able to forge such a cookie and then get a valid session (I know that I can link a cookie with a source IP but it's not possible in my use case).
> (by the way, the chapter 5 of OpenSSO Technical Overview  asserts the following : "The session token, also referred to as a sessionID and programmatically as an SSOToken, is an encrypted, unique string that identifies the session data structure"). Is this assumption wrong? Should I understand encrypted as base64 encoded?
> Therefore, is anybody able to provide me with more information on how this cookie is generated (size of the cookie, random generator...)?
> Thank you in advance for your help!
> Regards,
> Maxime VERAC
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20101210/b3247563/attachment.html>

More information about the OpenAM mailing list