enabled whether this part of the policy will be enforced Boolean true true, false
compensatingControl _describes whether another mechanism is dealing with this (elsewhere) in the stack Boolean false true, false
config session management configuration settings
id session id configuration
length _length (bit) of the session id Number (int) 128 Any number >= 64
entropy id generation method => bits, generation method, generation algorithm Array [64,“prng”,“sha1”] [64,“prng”,“sha1”]
invalidOnLogout invalidate the session id upon logout Boolean true true, false
**regenerateOnAuth** force a new session ID on authentication Boolean true true, false
forceLogoutOnWindowClose invalidate the session (logout) when the window closes Boolean true true, false
duration session duration settings
idle how long (in seconds) the session can remain idle (no activity) before automatic logout Number (int) 900 (15 minutes) Any integer >= 0 (0 = infinite/no idle)
ttl session length (in seconds) Number (int) 3600 (1 hour) Any number >= idle time
automaticRenewal automatically renew the session after idle time expires Boolean false true, false
cookies settings related to session cookies
prefixes prefix for cookies that meet host or secure cookie requirements String Array [”_Host”,”_Secure”] [”_Host”,”_Secure”]
name cookie name String ”” Any string
maxAge how long (in milliseconds) the cookie will be valid Number (int) ttl * 1000
httpOnly means cookie cannot be accessed by any client-side script Boolean true true, false
secure means cookie cannot be sent over HTTP (so, only HTTPS) Boolean true true, false
sameSite prevents cookie from being included as part of cross-browser requests String “strict” “lax”, “strict”
domain instructs web browsers to only send the cookie to the specified domain and all subdomains String null String or null value
path instructs web browsers to only send the cookie to the specified directory or subdirectories String ”/” String
csrfSettings settings to prevent cross site request forgery
secretLength how long (bits) secret token must be 64 (if using randomly generated secret) Number(int) 64 Any number >=64
saltLength how long (bits) the salt value must be Number(int) 24 Any integer >=24
ignoreMethods ignore CSRF settings for specified request methods String Array [“head”,“options”,“get”] All HTTP Methods
allowHiddenToken puts the token as a hidden field in HTML Boolean true true, false
validateToken validate CSRF tokens for cross-origin requests Boolean true true, false
concurrentLogins defines whether you want to allow concurrent logins (between tabs, browsers, devices, etc) Boolean false true, false