Strengthen IAM Sessions with Cookie Protection
- Services: IAM
- Release Date: July 13, 2026
Cookie protection helps prevent unauthorized access to user sessions by binding session cookies to the client's IP address.
Cookie protection adds IP-based detection for session cookies used by protected applications. When the system detects that a session cookie is used from a different IP address, it can require the user to reauthenticate and, when session management is enabled, revoke the associated server-side session.
- IP-bound session cookies
-
After successful authentication, the system binds the session cookie, which has the
ORA_OCIS_prefix, to the user's IP address. If the cookie is later used from a different IP address, the system evaluates mitigation actions. - Trusted network perimeters
-
Administrators can add network perimeters as Trusted IPs in the cookie protection settings. If the new IP address is within a trusted range, the system doesn't take mitigation action.
- Mitigation actions
-
For an untrusted IP address, the system can force reauthentication with a first factor. If Session Management is enabled for the identity domain, administrators can also choose to revoke the user session associated with the session cookie.
- Notifications and auditing
-
When cookie protection enforces mitigation action, IAM can email identity domain administrators. Administrators can enable or disable these notifications in the OCI Console and track enforcement through the
sso.authentication.failureandsso.session.delete.successaudit logs. - Configuration
-
In the Session settings page, enable cookie protection, optionally exempt trusted network perimeters, optionally terminate impacted SSO sessions, and save the changes. Administrators can disable cookie protection from the same page.
Cookie protection doesn't prevent insider threats because IP-based detection might not identify malicious actions from within a trusted network.