Session validation context

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Session Validation Context

    The Session Validation Context provides an additional security layer against session or cookie hijacking for ServiceNow customers. It works with the Adaptive Authentication Policy Framework to evaluate authentication requests, allowing or denying access based on defined policies. This feature is particularly useful for enhancing security during user sessions by enforcing IP restrictions and validating user credentials post-login.

    Show full answer Show less

    Key Features

    • IP Address Evaluation: Captures and stores the user's IP address during session creation, rejecting requests from differing IPs or outside predefined valid ranges.
    • Policy Options: Admins can configure policies as either Allow or Deny, determining default access behaviors based on policy conditions.
    • Post-Login Execution: The validation context only executes for authenticated users and post-login requests, ensuring that session integrity is maintained throughout the user experience.
    • Custom Configuration: Administrators can set various rules and IP ranges based on user groups or roles to fine-tune access control.

    Key Outcomes

    Implementing the Session Validation Context offers significant benefits, including:

    • Protection from session hijacking by restricting access to valid IP addresses.
    • Enhanced security for users on insecure networks.
    • Customizable access rules based on user roles, improving security tailored to organizational needs.

    To effectively use this feature, customers should configure the session validation context policies according to their security requirements, utilizing the policy input and condition settings provided in the platform.

    Use the Session Validation Context as an additional layer of protection against session or cookie hijacking.

    You can use the Session Validation Context with the Adaptive authentication policy framework. The framework uses authentication policies to evaluate authentication requests and then either denies or allows access based on policy inputs and conditions.

    The Session Validation Context policy can be used in conjunction with post auth policy, where an admin can enforce IP restrictions to certain or all users during the logged in session.

    The Session Validation Context feature evaluates the IP-addresses based on the conditions you set and allows access to the instance within a session. The Session Validation Context outcome is set based on selecting Allow Policy as this policy terminates the user session immediately unless one of the policy conditions defined in the allow access policy evaluates to true.

    Note:
    The Session Validation Context for an authentication policy can only be with Allow Policy.

    The Session Validation Context works based on the following mechanism:

    • Captures the user's IP address on session creation from user request and stores it in the session and database.
    • Rejects a request when its IP address differs from that in the session or outside of the customer defined valid IP ranges you defined.
    Note:
    The Session Validation Context is:
    • Available only for authenticated users.
    • Not applicable for guest user sessions or native mobile apps.
    • Optional and based on the requirement that it can be configured.
    • Executed only for the post-login requests.

    Benefits of Session Validation

    The Session Validation Context has the following benefits:

    • Restricts access to ServiceNow® when hijackers copy a user's session cookies from one device to another to impersonate the session.
    • Restricts the user's session access if they're using an insecure network.
    • Configures the various rules and IP ranges by user group or role for user logins.

    Session Validation context record

    Policies in the session validation context execute post-login requests.

    Use the fields in the session validation policy context record to define how your instance uses your policy.

    Table 1. Session Validation context form
    Field Description
    Name Name of the policy context. This field is static and can’t be changed.
    Description Description of the context.
    Default Policy Defines the default behavior of this context when evaluating the policy. Select from the following options.
    Allow Policy
    Denies access to all users by default, and only allows access when the conditions in the Allow Policy field evaluate to true.
    Deny Policy
    Allows access to all users by default, and only denies access when the conditions in the Deny Policy field evaluate to true.
    Allow Policy The policy used for this context. This field appears only when the Default Policy field is set to Allow Policy.
    Deny Policy The policy used for this context. This field appears only when the Default Policy field is set to Deny Policy.

    You can choose the Session Validation Policy as Allow Policy or Deny Policy based on the policy input and policy conditions.

    Note:

    You can only use the IP, Role, and Group filter criteria for Session Validation policy.

    Policy inputs and conditions

    The Policy Input and Policy Conditions tabs display the inputs and conditions of the policy selected in the Allow Policy or Deny Policy field. These tabs serve as a reference; but they can’t be used to change the policy inputs or conditions. To modify your policy, navigate to the policy using the reference icon (Reference icon) next to the Allow Policy or Deny Policy field.