This article addresses the potential security implications of enabling the Okta global session cookies persist across browser sessions setting in Okta. It outlines why Okta recommends disabling this feature, what risks and concerns it may pose, and how it could potentially expose users to security breaches.
- Global Session Policy
- Okta global session cookies persist across browser sessions
- Security
The interest in maintaining user sessions across browser sessions can pose significant security risks, particularly concerning session hijacking. This potential risk increases when the Okta global session cookies persist across browser sessions setting is enabled in Okta.
Okta's recommendation to disable the Okta global session cookies persist across browser sessions option is grounded in the increased risk of session hijacking when this setting is enabled. It allows the session cookie to be stored on the user's device, even after the browser is closed. This scenario creates a potential pathway for an unauthorized person to access the device and continue the session without re-authenticating. Furthermore, if the device is lost or stolen, the session cookie could be used to gain unauthorized access to the user's Okta session.
Requiring users to re-authenticate their session every time they close and open their browser is a recommended practice, as it adds an additional layer of security, preventing unauthorized access to sensitive information.
