Securing Sessions
Cookie hijacking is not the only danger to sessions. Consider the following non-exhaustive list of scenarios that can result in a compromised account:
End users entering their data in a malicious website thinking it is the authentic one.
End users leaving their computers unattended while their session is open.
End users logging in from completely different locations or devices than their usual.
The following table summarizes the tasks you need to perform to keep sessions secure:
| Task | Resources |
|---|---|
| Configure Settings Related to Session Termination Understand how session termination works in AM, and configure the session time-to-live and idle timeout. Ensuring sessions expire within a reasonable time helps you protect your environment against impersonation attacks. | "Understanding Session Termination" |
| Lock Users After Failed Login Attempts Configure account lockout to protect your environment against brute-force or dictionary attacks. | |
| Limit the Number of Active Sessions for a User Prevent users from logging in from more than two devices as a time, for example. This helps you mitigate against cases where user accounts have been compromised. | "Configuring Session Quotas" |
| Protect Client-Based Sessions AM offers additional security measures to protect client-based sessions. They are more vulnerable to hijacking than CTS-based sessions because they contain all the session information in them. | "Configuring Client-Based Session Security" |
| Protect Authentication Sessions Configure authentication session whitelisting to protect these sessions against replay attacks. | "Configuring Client-Based Session Security" |
| Protect Sensitive Attributes (Self-Service) Prevent attackers from changing sensitive attributes if they do hijack a session. | "Protect Sensitive Attributes" |