How Cookie Revocation Works

    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid

    Version Affected:  [All]


    When enabled, the authentication cookie will be revoked after the browser closes or the session expires.

    Note: In Cloud deployments, this is enabled by default. In Hybrid deployments, this is disabled by default but in order to use this setting, you will need to map an attribute to the Cookie Revocation Keys profile property in the datastore. The attribute will need to be a single valued string property (Directory String) and the value is saved as a delimited value.


    Each authentication cookie receives a GUID, which is saved to the user's profile. Upon reaching the Post Authentication page, the cookie is then validated for a match. If this fails to occur, the user will be kicked out.


    The value that is stored in the attribute will be the name of the Post Auth token followed by the GUID:


    The value for this attribute is limited to the number of Post Auth cookies a user has, as each cookie GUID is paired with the name of the cookie it is associated with.

    If all realms share the same Post Auth cookie name, you will have a single GUID in the attribute. If you are using different realms with different Post Auth cookie names, there will be multiple GUID entries in the attribute value.


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.\b

    0 out of 0 found this helpful



    Please sign in to leave a comment.