Authentication Cookie
To reduce the number of times that a user is required to log in, you can configure a JWT cookie that will be sent to the user’s browser. This cookie is backed by a corresponding file in <appdata>/shared/tokens/ and can only be used to authenticate if the cookie is still valid and the token file exists.
The properties that control the cookie all have the prefix authentication.token. and should be set in security.yml:
| Property | Description |
|
cookie.name |
The cookie name. The default value is ptoken. |
|
cookie.domain |
The cookie domain. The default is not set. |
|
cookie.path |
The cookie path. The default is not set. Consequently, the context path from the incoming request is used. |
|
cookie.http-only |
Determines whether the cookie should be accessible to JavaScript. The default value is false. |
|
cookie.secure |
Determines whether the cookie should be only sent over HTTPS. The default value is not set. Assign the flag if the incoming request is secure. |
|
cookie.max-age |
Determines for how long the cookie is valid. The default value is 7d (seven days). If you do not specify a unit, the value is in number of seconds. |
|
cookie.same-site |
Determines if the cookie can be passed across sites. The default value is Lax, and the other options are Strict and None. |
|
refreshable |
Determines whether the cookie should be renewed automatically if the user is active. The default value is true. |
The JWT token cookies are signed and validated using the contents of the <appdata>/token_secret file. The server creates this file with random contents if it doesn’t exist when it starts. However, in scenarios where you want cookies to be valid across multiple servers (e.g., when running them in a cluster), you need to make sure that they all have the same file contents.
(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.