Configuring the authentication and access module for cookieless operation

To allow the Authentication and access module to function in like an API, use of a client side cookie can be avoided with an advanced configuration option.

Before you begin

Configure the appliance to use Authentication-based and Content-based access with one of the following methods:
  • Set up the Distributed Map (DMap)
  • Set up a Distributed Session Cache (DSC)

About this task

When the cookieless operation is enabled, several configuration options are available to suit a range of deployment configurations and use cases.

In a high availability or clustered environments it is recommended that session affinity is enforced for a sufficient period of time to allow session replication between nodes. The length of time that sticky session is enforced depends on the deployment.

During normal operation a jsession cookie is still returned. However if this sessions cookie is returned in subsequent requests, it is ignored by the authentication service.

Note: This configuration option only removes the reliance on session cookies for the authentication service (/sps/authsvc and /sps/apiauthsvc) endpoints. Users still require a WebSEAL session cookie to maintain state.

Configure the Authentication-based and Content-based access module to not rely on client side cookies to store authentication information.

Administrators can choose to store this information in either the DSC, Memory, or the DMap, depending on deployment requirements.


  1. In the local management interface, click AAC > Advanced Configuration.
  2. To enable cookies operation, toggle the authsvc.stateMgmt.cookieless key to Enabled.
  3. Select session store by using the key (either DSC for the Distributed Session Cache, DMap for the Distributed Map, or Memory for JVM memory caching):
    • Distributed Session Cache (DSC)
      1. Enable the distributedSessionCache.enabled key.
      2. Set DSC parameters:
        • distributedSessionCache.localCacheEnabled
        • distributedSessionCache.localCacheSize
        • distributedSessionCache.externalServers
    • Distributed Map (DMap) or Memory
      1. Set authsvc.stateMgmt.lifetime for the maximum lifetime of a session in the DMap or in Memory.
    • Memory only
      1. Set authsvc.stateMgmt.memory.cleanupThread.batchSize if a maximum cleanup batch size is required
        Note: Setting this parameter as 0 disables this option.
      2. Set authsvc.stateMgmt.memory.cleanupWait to control the cleanup thread run frequency.
        Note: Setting this parameter to -1 disables the cleanup thread.
      3. Set authsvc.stateMgmt.memory.maxSessions to control the maximum number of sessions to cache. When this value is exceeded, IBM Security Verify Access removes the oldest sessions in the case.