Rotate HTTP session identifiers (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the glide.ui.rotate_sessions property to enable rotation of the HTTP session identifiers to reduce security vulnerabilities.

    If an unauthenticated user's session ID doesn't change after authentication, a web application is vulnerable to a session fixation attack. A malicious user could start an unauthenticated session and give the associated session ID to the victim. Once the victim authenticates, the malicious user now shares that authenticated session.

    More information

    Attribute Description
    Property name glide.ui.rotate_sessions
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center Yes
    Purpose To achieve more secure session authentication.
    Recommended value true
    Functional ImpactThis remediation modified the SessionID when user navigates from unauthenticated page to authenticated pages.
    • If you are using a proxy or hardcoding the SessionID when a user first logs in, or for any purpose, then there can be a potential functionality impact.
    • If you are using the SAML 2.0 plugin for Single Sign-on authentication, it might interfere with the session information sharing between the instance and the Identity Provider. In such case, you can set this property to false.
    Security risk (Late) SessionID is used to process and authenticate the instance user by maintaining the session state on the browser. Thus, SessionID is deemed as sensitive data and should be secure by default. Session Rotation is a security control that enforces the alteration of sessionID whenever the user navigates from unauthenticated pages to authenticate pages.
    References

    Authentication with SAML

    To learn more about adding or creating a system property, see Add a system property.