Authentication Cookie
To reduce the number of times that a user is required to log in, you can configure a JWT cookie that will be sent to the user’s browser. This cookie is backed by a corresponding file in <appdata>/shared/tokens/ and can only be used to authenticate if the cookie is still valid and the token file exists.
The properties that control the cookie all have the prefix authentication.token. and should be set in security.yml:
| Property | Description |
|
cookie |
The cookie name. The default value is ptoken. |
|
persistence |
Can be set to PERSISTENT (default) or SESSION. |
|
validity.seconds |
The default value is 604800 (7 days). |
|
refreshable |
Determines if the cookie should be automatically renewed if the user is active. The default value is true. |
|
cookie.httponly |
The default value is false. |
|
cookie.samesite |
Can be Lax (default), Strict, or None. |
|
cookie.secure |
The default value is false. |
The JWT token cookies are signed and validated using the contents of the <appdata>/token_secret file. The server creates this file with random contents if it doesn’t exist when it starts. However, in scenarios where you want cookies to be valid across multiple servers (e.g., when running them in a cluster), you need to make sure that they all have the same file contents.
(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.