With the introduction of risk-based authentication mechanisms combined with strong authentication methods, manipulating user credentials to gain unauthorized access has become very difficult. Many web applications use cookies to manage the user sessions. Numerous basic security measures are available to secure the session cookie. However, cookies are susceptible to replay attacks. Session timeouts and IP address validations can minimize the chances of replay attacks. But, chances of misusing a session cookie to gain unauthorized access to an active session still exist.
Advanced Session Assurance enables you to prevent session replay attacks by adding an additional layer of security to your sessions. When a session is established, Access Manager creates a unique fingerprint of the device from which the session is established. During the session, at a configurable time interval, Access Manager validates the session to ensure that the fingerprint matches with that of the device it originated from.
Access Manager also generates a new ID for the session at a specified time interval. If the fingerprint or the session ID does not match, Access Manager logs the user out and invalidates the session.
Advanced Session Assurance provides three levels of protection as follows:
Session Renewal: A new ID for the active session is generated at the specified interval. Even after enabling fingerprinting, if intruders steal the session ID, they cannot hijack the session as the ID keeps changing after the specified time. In a fresh install, this is enabled for both Identity Server and Access Gateway by default. However, it is disabled for both Identity Server and Access Gateway in an upgraded setup.
Device Fingerprinting:A fingerprint is created by using the parameters fetched from the user's device such as hardware parameters and screen resolution.
Server-side Fingerprinting: A fingerprint is created by using the parameters fetched at the server-side using request parameters such as http headers or IP address.
Access Manager supports the following parameters in Advanced Session Assurance validations for Identity Server and Access Gateways sessions:
Table 14-1 Advanced Session Assurance Parameters
Parameter |
Description |
---|---|
Request Parameters: |
|
Client IP |
Fetches the IP address of the client. |
Request Header Set |
Fetches the user-agent from the request headers of the incoming request. |
Device Parameters: |
|
Hardware Parameters |
Fetches the following details about the user’s device:
|
Language Set |
Fetches language preferences of the user's device. |
Screen Resolution |
Fetches width and height of the user's browser and screen. |
Time Zone Offset |
Fetches time zone of the user's device. |
Operating System |
Fetches name and version of the operating system on the user’s device. |
User Agent |
Fetches the following details about the browser on the user’s device:
|
HTML5 Capabilities (Performance Intensive) |
Fetches the information about HTML 5 capabilities that are supported by the browser. |
System Fonts (Performance Intensive) |
Fetches the information about fonts supported and unsupported by the user's browser. |
WebGL Metadata (Performance Intensive) |
Fetches information about the GPU (Graphics Processing Unit), the identity of the browser, WebGL properties, and characteristics supported by the browser. WebGL (Web Graphics Library) is a JavaScript API for rendering interactive 3D computer graphics and 2D graphics within any compatible web browser without using plug-ins. |
This section includes the following topics:
For the troubleshooting information, see Troubleshooting Advanced Session Assurance.
Identity Server: By default, in a fresh installation or upgrade, both device fingerprinting-based and server-side fingerprinting-based validations are disabled for all clusters.
Access Gateway: By default, in a fresh installation or upgrade, both device fingerprinting-based and server-side fingerprinting-based validations are disabled for all clusters.
To enable device fingerprinting-based validation for Access Gateway, enable it at the proxy service resource level. See Enabling Advanced Session Assurance at the Proxy Service Resource Level.
NOTE:Advanced Session Assurance is disabled by default for Identity Server and Access Gateway in an upgraded or newly installed setup. You must upgrade all nodes in the clusters of Identity Server and Access Gateway to the latest version before enabling Advance Session Assurance.
For Access Gateway clusters and proxy services, enable Advanced Session Assurance only if needed. See Best Practices for Enabling Advanced Session Assurance at the Proxy Service Resource Level.
Perform the following steps to enable Advanced Session Assurance at the cluster level:
Click Security > Advanced Session Assurance.
In Cluster Level Configurations, select Identity Server clusters or Access Gateway clusters for which you want to enable Advanced Session Assurance.
For Access Gateway, you can disable or enable device fingerprinting-based validation at the proxy service level at the respective configuration pages or at the Advanced Session Assurance page.
Perform anyone of the following procedures to enable Advanced Session Assurance at the proxy service level:
At the respective configuration page:
Click Devices > Access Gateway > Edit >[name of reverse proxy] > [name of proxy service].
Select Enable Advanced Session Assurance.
At the Advanced Session Assurance page:
Click Security > Advanced Session Assurance.
Click Proxy Service Settings, select the proxy service for which you want to enable the device fingerprinting-based validation.
Before enabling the Advanced Session Assurance for your applications, understand how this works. See Table 14-1, Advanced Session Assurance Parameters.
If the application is a single page application or runs with browser plug-ins, consider the following scenarios:
As the cookie gets renewed on the browser at the specified interval, ensure that your application picks up the updated cookie and sends it with every request.
When you enable server-side fingerprinting, ensure that your application sends the same user-agent header over the entire session.
For example, assume SharePoint is protected by Access Gateway. When you try to open any application on SharePoint such as an Microsoft Word document, the user agent value changes when the document opens.
The session validation in such scenarios may fail. However, the session is valid. To prevent this, you can exclude the proxy service associated with SharePoint from the session validation. See Disabling Advanced Session Assurance for Access Gateway Proxy Services.
Client-side fingerprinting includes many client-side parameters. Ensure that the enabled parameters do not change during the session.
Access Manager enables you to set the interval for session validation and session ID renewal for Identity Server and Access Gateway. You can specify different values for Identity Server and Access Gateway.
Perform the following steps to set up session validation and renewal interval:
Click Security > Advanced Session Assurance.
Under Session Validation and Renewal Interval, specify the interval for session validation. Access Manager also generates a new ID for the session after the same interval.
IMPORTANT:Users might not go to Identity Server or Access Gateway Embedded Service Provider (ESP) very regularly. So, in the following scenarios, this interval might not work and the session will be renewed with the next request after the interval:
Federated setups: When a user logs into Identity Server, Access Manager generates an assertion to the service provider (SP). After that the SP owns the user session and session assurance renewal will not work till the SP periodically comes back to Identity Server to renew the session assurance.
Access Gateway setups: When a user accesses and logs into a protected resource, that user usually does not return to ESP or Identity Server until the session timeout has exceeded or another authentication request comes to Identity Server. For example, if the default contract timeout is set to 60 min, the user may not come back to Identity Server or ESP approximately for 40 min. Even if the session renewal is set to 1 min (default), the user may not come back to Identity Server and renew the session info.
Click Security > Advanced Session Assurance.
Click Parameters Setting.
Select the parameters for Identity Server and Access Gateway that you want to include in session validations.
For more information about parameters, see Table 14-1.
If any critical issue happens, you can disable Advanced Session Assurance for the specific URLs and user-agents. You need to add the URL or user agent to the exclude list of each Identity server cluster and ESP cluster. For both URL and user agent, you can either specify strings or regular expression as input.
NOTE:You can also deselect the cluster to disable Advanced Session Assurance. However, disabling Advanced Session Assurance at the cluster level disables it for the entire Access Manager setup.
Click Devices > Identity Servers > Edit > Options > New.
Set the following properties:
Multiple inputs must be separated by comma.
Property Type |
Property Value |
---|---|
SESSION ASSURANCE USER AGENT EXCLUDE LIST |
Specify the user-agent string for that you want to disable the session validation. For example, you can specify Android to exclude Android devices (version 4.x). Examples of user agent sent by Android devices: User-Agent: Mozilla/5.0 (Linux; Android 4.4.3; KFTHWI Build/KTU84M) AppleWebKit/537.36 (KHTML, like Gecko) Silk/44.1.54 like Chrome/44.0.2403.63 Safari/537.36 You can specify MSIE to exclude Internet Explorer 10.x. Examples of user agents sent by Internet Explorer: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT6.1; WOW64; Trident/6.0) |
SESSION ASSURANCE USER AGENT REGEX EXCLUDE LIST |
Specify the user-agent REGEX for that you want to disable the session validation. For example, you can specify Android 4\. to exclude Android devices (version 4.x). Examples of user agent sent by Android devices: User-Agent: Mozilla/5.0 (Linux; Android 4.4.3; KFTHWI Build/KTU84M) AppleWebKit/537.36 (KHTML, like Gecko) Silk/44.1.54 like Chrome/44.0.2403.63 Safari/537.36 You can specify MSIE 10\. to exclude Internet Explorer 10.x. Examples of user agents sent by Internet Explorer: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) |
SESSION ASSURANCE URL EXCLUDE LIST |
Specify the URL for that you want to disable the session validation. For example, if you want to exclude any URL based on any string. Let assume the URL is http://www.xyz.com/hr/main, specify /hr/ to verify whether the URL contains /hr/. If yes, then the URL will be excluded from session validation. Use the , delimiter to specify more than one URL. For example, /ab*s/aa,ab?sj=sd.:,//,12@/dd:234 |
SESSION ASSURANCE URL REGEX EXCLUDE LIST |
Specify the URL REGEX for that you want to disable the session validation. For example, let assume the URL is http://www.xyz.com/hr/main, specify www.xyz.com/hr/(.)* to verify whether the URL contains /hr/. If yes, then the URL will be excluded from session validation. Use the , delimiter to specify more than one URL. For example, \s,\d\d\d,^\d\d\d.$ |
SESSION ASSURANCE IDC COOKIE GRACEPERIOD |
Specify the time in second till which Identity Server will accept the old session ID, after issuing a new ID. The default value is 15 second. |
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication > ESP Global Options.
Add the following options in the ESP Global Options list:
Multiple inputs must be separated by comma.
ESP Global Options |
Description |
---|---|
SESSION_ASSURANCE_USER AGENT_EXCLUDE_LIST |
Specify the user-agent string for that you want to disable the session validation. For example, if you want to exclude android devices, add the following: SESSION_ASSURANCE_USER_AGENT_EXCLUDE_LIST Android,Chrome |
SESSION_ASSURANCE_USER_AGENT_REGEX_EXCLUDE_LIST |
Specify the user-agent REGEX for that you want to disable the session validation. For example, if you want to exclude android devices with version 4 and later, add the following: SESSION_ASSURANCE_USER_AGENT_REGEX_EXCLUDE_LIST Android 4\.,Chrome |
SESSION_ASSURANCE_URL_EXCLUDE_LIST |
Specify the URL for that you want to disable the session validation. For example, if you want to exclude any URL based on any string. Let assume the URL is http://www.xyz.com/hr/main, the following entry will verify whether the URL contains /hr/. If yes, then the URL will be excluded from session validation: SESSION_ASSURANCE_URL_EXCLUDE_LIST /hr/ Use the , delimiter to specify more than one URL. For example, SESSION_ASSURANCE_USER_AGENT_EXCLUDE_LIST abc,ss,s |
SESSION_ASSURANCE_URL_REGEX_EXCLUDE_LIST |
Specify the URL REGEX for that you want to disable the session validation. For example, if you want to exclude any URL based on any string. Let assume the URL is http://www.xyz.com/hr/main, the following entry will verify whether the URL contains /hr/. If yes, then the URL will be excluded from session validation: SESSION_ASSURANCE_URL_REGEX_EXCLUDE_LIST www.xyz.com/hr/(.)* Use the , delimiter to specify more than one URL. For example, SESSION_ASSURANCE_USER_AGENT_REGEX_EXCLUDE_LIST \s,\d\d\d,^\d\d\d.$ |
SESSION_ASSURANCE_IDC_COOKIE_GRACEPERIOD |
Specify the time in second till which Identity Server will accept the old session ID, after issuing a new ID. The default value is 15 second. |
When Advanced Session Assurance is enabled at the cluster level for a proxy service, server-side fingerprinting and session ID Session Assurance are enabled. You can disable and re-enable it by using advanced options.
Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options.
Add the following options on the need basis:
Option |
Description |
---|---|
NAGHostOptions DisableIDC=on |
This disables Advance Session Assurance for small lived session IDs. Set to off to enable Advance Session Assurance for session ID. |
NAGHostOptions DisableSFP=on |
This disables server-side fingerprinting Session Assurance. Set to off to enable server-side fingerprinting Session Assurance. |
Save your changes and update Access Gateway.
Let assume an organization has a Human Resources application and a Payroll application. Both applications contain highly confidential data of its employees. These applications are protected by Access Gateway.
The organization wants to prevent session hijacking for these applications.This can be achieved by enabling device fingerprinting-based session validations for proxy services tied to these applications.
Configuration Steps:
Click Security > Advanced Session Assurance.
In Enable Advanced Session Assurance for Clusters, select the required Identity Server clusters and Access Gateway clusters for which you want to enable Advanced Session Assurance.
Specify Session Validation and Renewal Interval.
For more information, see Setting Up Session Validation and Renewal Interval.
Select parameters that you want to include in the session validation.
For more information about parameters, see Table 14-1.
Click Proxy Service Settings and select the proxy services tied up with Human resources and Payroll applications.
Click OK.
Update Access Gateway.