Secure sessions
Cookie hijacking is not the only danger to sessions. Consider the following non-exhaustive list of scenarios that can result in a compromised account:
-
End users entering their data in a malicious website thinking it is the authentic one.
-
End users leaving their computers unattended while their session is open.
-
End users logging in from completely different locations or devices than usual.
The following table summarizes the tasks you should perform to keep sessions secure:
| Task | Resources |
|---|---|
Settings related to session termination Understand session termination, and configure the session time-to-live and idle timeout. Ensuring sessions expire within a reasonable time helps you protect your environment against impersonation attacks. |
|
Lock accounts after failed login attempts Configure account lockout to protect your environment against brute-force or dictionary attacks. |
|
Limit the number of active user sessions Prevent users from logging in from more than two devices as a time, for example. This helps you mitigate against cases where user accounts have been compromised. |
|
Protect client-side sessions AM offers additional security measures to protect client-side sessions. They are more vulnerable to hijacking than server-side sessions because they contain all the session information in them. |
|
Protect authentication sessions Configure authentication session allowlisting to protect these sessions against replay attacks. |
|
Delete sessions when users change their passwords When a user changes their password, existing sessions are not deleted automatically. You should implement a mechanism to invalidate existing sessions on password reset. |