Fuente de alimentarias

Web Security Manager has the ability to protect against session hijacking and CSRF (Cross Site Request Forgery) by:

1. Binding client IPs to session cookies by issuing a validation cookie containing a cryptographic token (a checksum) which validates session id + client IP + a secret for each client request. 2. By binding forms to sessions and verifying the origin of the form through insertion of a form validation parameter containing a cryptographic token which proves that the action formu- lator (the system issuing the page containing a form with an action) knows a session spe- cific secret.

3. Additionally idle sessions are timed out in order to prevent users from staying logged in making them vulnerable to CSRF attacks.

When the web system issues a session cookie Web Security Manager detects it and issues a corresponding session validation cookie. In order to be able to identify the session cookie it is necessary to enter the name of the cookie containing the session id - i.e. PHPSESSID, JSES- SIONID, ASPSESSIONID, SID.

An easy way to identify the session cookie name for the site you are configuring protection is to establish a session with the site (logging in, visiting the site or whatever actions are necessary to make the site issue a session cookie) and then view the cookies issued for that specific site in your browser.

Finding session cookie name in Firefox

When a session is established view the cookie in Tools→Options+Privacy→Cookies→ Show Cookies

Enter the domain name of the site in the search field.

The name of the cookie containing the session identifier.

Session ID name

Input field This field value is required to enable session and form (CSRF) protection. Valid input

Any regular expression matching the name of the session id cookie. Input example

PHPSESSID

JSESSIONID

ASPSESSIONID

ASPSESSIONID\w+ (matching asp session id's with random strings appended to the name like ASPSESSIONIDAAQTDQRT)

SID

Default value

<none>

A hard to guess string used to generate session cookie validation tokens.

Secret for signing checksums

Valid input Any string Input example didnqdndnwqdnqdagdiddbuqh3shjethdnssbvsunjn Default value <random value>

Idle session timeout specifies the maximum duration of an idle session before it is dropped resulting in the user being logged out from the web site.

Idle session timeout

Input field

Valid input

A number (integer) in the interval 10 - 86400 (24 hours). Input example

900 - 15 minutes

Default value

600

1.3.7.1. Cookie flags

Add secure flag to session cookie to instruct users browser to only send the cookie over an SSL connection.

Add Secure flag to session cookie

Check box Default:<disabled>

Add HttpOnly flag to session cookie to instruct users browser to make the cookie inaccessible to client side script.

Make session cookie HttpOnly

Check box Default:<disabled> 1.3.7.2. HSTS - HTTP Strict Transport Security

HSTS is a mechanism enabling web sites to declare themselves accessible only via secure con- nections - HTTPS. The policy is declared by web sites via the Strict-Transport-Security HTTP re- sponse header field. When enabling HSTS in WSM the Strict-Transport-Security header will be injected in server responses if it is not already present.

Add Strict-Transport-Security header to backend server responses if not already present.

Enable HSTS

Check box

Default:<disabled>

Max age corresponds to the required "max-age" directive in the HSTS directive and specifies the number of days, after the reception of the

Max age

Check box

STS header field, during which the User Agent (browser) regards the web server (from which the HSTS header was received) as a Known HSTS Host..

1.3.7.3. Session protection configuration

Enable / disable validation of session identifiers.

Enable session pro- tection

Check box

If enabled, Web Security Manager will issue a validation cookie contain- ing a cryptographic token (a checksum) which validates session id + client IP + secret for signing checksums (above) for each client request. The validation cookie is named __PFV__ and is issued whenever Web Security Manager detects a set_cookie with a cookie name matching the value configured (above) from the web site to protect.

Default:<disabled>

What Web Security Manager should do when an invalid session id is detected.

Session violation ac- tion

Check box Session violation actions Block request

The request is blocked and a session cookie with max-age=0 is sent back to the client resulting in the clients browser to expire the session cookie.

Drop session, allow request

The session cookie is removed from the request before the request is allowed to reach the web system.

In the deny log the request will be listed with action = strip. Default:<Drop session, allow request>

1.3.7.4. CSRF protection configuration

Enable / disable generation of request form validation tokens (CSRF protection)

Generate request form validation

If enabled, Web Security Manager will parse web system responses of type text/* searching for form tags. When forms tags are detected a

tokens (CSRF protec- tion)

Check box session specific checksum validating the form action is inserted as a hidden parameter (named ___pffv___) to the form.

Default:<disabled>

Now go to Policy   Web applications to enable request validation for specific applications (see Section 1.4.1, “Web application settings”). If configured the Learner will learn and configure CSRF protection for ap- plications.

What Web Security Manager should do when an invalid request is de- tected.

Form violation action

Check box

Form violation actions Block request

The request is blocked and a session cookie with max-age=0 is sent back to the client resulting in the clients browser to expire the session cookie.

Drop session, allow request

The session cookie is removed from the request before the request is allowed to reach the web system.

In the deny log the request will be listed with action = strip. Default:<Drop session, allow request>

1.3.7.5. Request authorization configuration

Enable / disable request authorization for configured web applications.

Enable request au- thorization

Check box

If enabled, Web Security Manager will authorize access to resources based on session validity.

Request authorization is only enforced for resources for which this feature is enabled.

Default:<disabled>

Now go to Policy   Web applications to enable request authorization for specific applications and other resources incl. static files (see Sec- tion 1.4.1, “Web application settings”).