0

Preventing Session Hijacking

The LogicNets run-time uses secure cookies to avoid that URL (with an session-id) can be copied accross browsers and clients. This prevents hijacking of an session when a sniffer would catch the URL that is opened by an user.

Session hijacking prevention is enabled by default when HTTPS is used. The browser must support session cookies in order to get this working. If the browser doesn't support session cookies or these are disabled or the URL is opened on another browser the following message will appear:

    "You do not have access to this session"

The session cookie is shared between all sessions of the same browser of a client's machine. The session cookie is renewed at every login and every time when a new session is created.

Disabling session hijacking prevention
Session hijacking prevention can be disabled via the configuration file on the server. You must edit or create a new configuration file
/dat/bnt//settings.cfg

In this configuration file the following lines must be added:

_global = _global or {}
_global.SECURITY = _global.SECURITY or {}
_global.SECURITY.DISABLE_SESSION_PINNING = 1



Safari browser and iframes
By default an Safari browser blocks setting of session cookies when a web-page is opened in an iframe. This can be disabled by changing the setting in you Safari browser: "privacy and security"  > disable "do not track" or by disabling session hijacking prevention.

NOTE:
In IE/EDGE, cookies for domains that contain one or more _ (underscore symbol) will not be stored, making it impossible to use HTTPS. The underscore symbol is formally an illegal character for a domain name, it is thus discouraged to use underscores.

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 7 mths agoLast active
  • 4Views
  • 2 Following

Home