<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Risks of Enabling Okta Global Session Cookies Persist Across Browser Sessions

Authentication
Okta Classic Engine
Okta Identity Engine

Overview

Enabling the Okta global session cookies persist across browser sessions setting introduces significant security risks, particularly concerning session hijacking. Okta recommends disabling this feature because it allows the session cookie to remain on the device after the browser closes, creating a pathway for unauthorized access. The global session policy setting for persistent cookies appears in the Okta Admin Console as shown in the following image.

Okta global session cookies persist across browser sessions

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Global Session Policy
  • Security

Solution

Why does Okta recommend disabling persistent global session cookies?

Okta recommends disabling the Okta global session cookies persist across browser sessions option due to the increased risk of session hijacking. Enabling this setting allows the session cookie to remain on the device even after the browser closes. This behavior creates a potential pathway for an unauthorized person to access the device and continue the session without re-authenticating. If a device is lost or stolen, a malicious actor can use the session cookie to gain unauthorized access to the Okta session.

 

 

What are the best practices for browser sessions to secure sensitive information?

Requiring users to re-authenticate the session every time the browser opens and closes adds an additional layer of security. This practice prevents unauthorized access to sensitive information.

 

Related References

Loading
Okta Support - Risks of Enabling Okta Global Session Cookies Persist Across Browser Sessions