Skip to main content
Version: 3.8.x.x LTS

Enhanced session protection

The user's session is usually bound to a cookie (called Navajo by default). The session cookie allows a user to access the web application he has previously been authenticated for, see also the Perimeter Authentication in the chapter Application integration.

It is important that this Navajo cookie is only used by the corresponding user. Therefore, you should always activate the "HTTP only" option for this cookie within the nevisProxy connector view. This prevents the cookie from being accessed on the client side by JavaScript code executed in the browser.

Use agent settings enabling the HTTP only flag

In addition to this, you might want to lock the Navajo cookie to other client attributes to prevent it from being used by another client/user. The template Enhanced session tracking is an example how to do this:

  • A filter assigned to your application's mapping tracks additional client attributes such as the IP address or the cipher suite the client uses.
  • If these attributes change, the client has to prove that he is still the legal owner of the Navajo cookie by providing his credentials, e.g., his passphrase.
  • The user's session is locked until the user provides this credential. After successful credential verification, the user may continue to work.
    • In case of an IP address change, the new IP address gets added to the list of valid IP addresses for the user's session.
    • In case of a cipher suite change, the new cipher suite replaces the previous one which allowed to access the session.