Set the session cookie myself

I was reading the following documentation on sessions and I stumbled upon this text:

Use this API if, for example, you want to set the session cookie yourself instead of allowing Okta to set it…

My question is how do i set the session cookie myself without 1. any redirects and 2. okta-js library?

Hi @krolique

By consuming the session token server-side on /api/v1/sessions, you will get the details about the user that logged in. From here, you can take the necessary details (userId, login, etc.) to build a cookie or session inside your application.

The cookie/session construction depends on the algorithm that you have implemented to authenticate your users.

@dragos Thank you for your reply.

If i set a cookie like sid=SESSION_ID myself will the user be able visit Okta dashboard or for instance visit an SSO embed link for another Okta application that is assigned to that user?

Hi @krolique

If you want to authenticate your users client-side and let them access also the Okta dashboard, the best solution to consume the session token would be by visiting a URL like the following

https://org.okta.com/login/sessionCookieRedirect?token={sessionToken}&redirectUrl={redirectUrl}

After the user is authenticated, you can call /api/v1/users/me in order to retrieve the details about the user to create your local session.

You can find here more details about how to use the session token to authenticate the users client side.

@dragos,

The issue that I am facing with sessionToken is they expire rather quickly. I am forced to consume the token and then delegate session management (finding ID, checking expires) to a SPA which then is forced to know it is dealing with Okta. I would like to abstract those details into the API and publish a simpler contract to the SPA without any Okta implementation details.

Is such a thing possible?

Again, I thank you for your help!