Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9536

Reduce size of stateless sessions


    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.0.0
    • Fix Version/s: 14.0.0
    • Component/s: session
    • Labels:
    • Support Ticket IDs:


      The size of stateless sessions is critical as the total size of cookies from one domain in a browser is around 4KB. The minimum size of a stateless session cookie is around 1.5KB currently, or just over 1KB if deflate compression is used. However, there are a number of inefficiencies that could be removed to reduce this even further:

      • The legacy session format "wrapper" that we use includes an additional encrypted string that is completely unused in stateless sessions (64 bits plus IV = 32 bytes, hex-encoded = 64 bytes)
      • An additional round of c66 encoding is applied on top of the JWT's base64url encoding, which is pointless as the JWT is already url-safe, and is not losslessly reversible, resulting in damage to the JWT that has to be repaired.
      • The JWT library serialises claims and headers with additional whitespace around claim key/values and punctuation. Removing this would shrink the JWT without compression and appears to be a win even with compression enabled.
      • The stateless session JWT contains a session handle property, which can never be used for stateless sessions.


          Issue Links



              • Assignee:
                neil.madden Neil Madden
                neil.madden Neil Madden
              • Votes:
                0 Vote for this issue
                5 Start watching this issue


                • Created: