Securing Sessions

Cookie hijacking is not the only danger to sessions. Consider the following non-exhaustive list of scenarios that can result in a compromised account:

  • End users entering their data in a malicious website thinking it is the authentic one.

  • End users leaving their computers unattended while their session is open.

  • End users logging in from completely different locations or devices than their usual.

The following table summarizes the tasks you need to perform to keep sessions secure:


Configure Settings Related to Session Termination

Understand how session termination works in AM, and configure the session time-to-live and idle timeout.

Ensuring sessions expire within a reasonable time helps you protect your environment against impersonation attacks.

"Understanding Session Termination"

Lock Users After Failed Login Attempts

Configure account lockout to protect your environment against brute-force or dictionary attacks.

"Configuring Account Lockout"

Limit the Number of Active Sessions for a User

Prevent users from logging in from more than two devices as a time, for example. This helps you mitigate against cases where user accounts have been compromised.

"Configuring Session Quotas"

Protect Client-Based Sessions

AM offers additional security measures to protect client-based sessions. They are more vulnerable to hijacking than CTS-based sessions because they contain all the session information in them.

"Configuring Client-Based Session Security"

Protect Authentication Sessions

Configure authentication session whitelisting to protect these sessions against replay attacks.

"Configuring Client-Based Session Security"

Protect Sensitive Attributes (Self-Service)

Prevent attackers from changing sensitive attributes if they do hijack a session.

"Protect Sensitive Attributes"
Read a different version of :