| enabled |
whether this part of the policy will be enforced |
Boolean |
true |
true, false |
| compensatingControl |
_describes whether another mechanism is dealing with this (elsewhere) in the stack |
Boolean |
false |
true, false |
| config |
session management configuration settings |
|
|
|
| id |
session id configuration |
|
|
|
| length |
_length (bit) of the session id |
Number (int) |
128 |
Any number >= 64 |
| entropy |
id generation method => bits, generation method, generation algorithm |
Array |
[64,“prng”,“sha1”] |
[64,“prng”,“sha1”] |
| invalidOnLogout |
invalidate the session id upon logout |
Boolean |
true |
true, false |
| **regenerateOnAuth** |
force a new session ID on authentication |
Boolean |
true |
true, false |
| forceLogoutOnWindowClose |
invalidate the session (logout) when the window closes |
Boolean |
true |
true, false |
| duration |
session duration settings |
|
|
|
| idle |
how long (in seconds) the session can remain idle (no activity) before automatic logout |
Number (int) |
900 (15 minutes) |
Any integer >= 0 (0 = infinite/no idle) |
| ttl |
session length (in seconds) |
Number (int) |
3600 (1 hour) |
Any number >= idle time |
| automaticRenewal |
automatically renew the session after idle time expires |
Boolean |
false |
true, false |
| cookies |
settings related to session cookies |
|
|
|
| prefixes |
prefix for cookies that meet host or secure cookie requirements |
String Array |
[”_Host”,”_Secure”] |
[”_Host”,”_Secure”] |
| name |
cookie name |
String |
”” |
Any string |
| maxAge |
how long (in milliseconds) the cookie will be valid |
Number (int) |
ttl * 1000 |
|
| httpOnly |
means cookie cannot be accessed by any client-side script |
Boolean |
true |
true, false |
| secure |
means cookie cannot be sent over HTTP (so, only HTTPS) |
Boolean |
true |
true, false |
| sameSite |
prevents cookie from being included as part of cross-browser requests |
String |
“strict” |
“lax”, “strict” |
| domain |
instructs web browsers to only send the cookie to the specified domain and all subdomains |
String |
null |
String or null value |
| path |
instructs web browsers to only send the cookie to the specified directory or subdirectories |
String |
”/” |
String |
| csrfSettings |
settings to prevent cross site request forgery |
|
|
|
| secretLength |
how long (bits) secret token must be 64 (if using randomly generated secret) |
Number(int) |
64 |
Any number >=64 |
| saltLength |
how long (bits) the salt value must be |
Number(int) |
24 |
Any integer >=24 |
| ignoreMethods |
ignore CSRF settings for specified request methods |
String Array |
[“head”,“options”,“get”] |
All HTTP Methods |
| allowHiddenToken |
puts the token as a hidden field in HTML |
Boolean |
true |
true, false |
| validateToken |
validate CSRF tokens for cross-origin requests |
Boolean |
true |
true, false |
| concurrentLogins |
defines whether you want to allow concurrent logins (between tabs, browsers, devices, etc) |
Boolean |
false |
true, false |