Risks of Enabling Okta Global Session Cookies Persist Across Browser Sessions
Last Updated:
Overview
Enabling the Okta global session cookies persist across browser sessions setting introduces significant security risks, particularly concerning session hijacking. Okta recommends disabling this feature because it allows the session cookie to remain on the device after the browser closes, creating a pathway for unauthorized access. The global session policy setting for persistent cookies appears in the Okta Admin Console as shown in the following image.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Global Session Policy
- Security
Solution
Why does Okta recommend disabling persistent global session cookies?
Okta recommends disabling the Okta global session cookies persist across browser sessions option due to the increased risk of session hijacking. Enabling this setting allows the session cookie to remain on the device even after the browser closes. This behavior creates a potential pathway for an unauthorized person to access the device and continue the session without re-authenticating. If a device is lost or stolen, a malicious actor can use the session cookie to gain unauthorized access to the Okta session.
What are the best practices for browser sessions to secure sensitive information?
Requiring users to re-authenticate the session every time the browser opens and closes adds an additional layer of security. This practice prevents unauthorized access to sensitive information.
