Preventing Session Hijacking
Description
Session hijacking is the exploitation of a valid computer session -- sometimes also called a session key -- to gain unauthorized access to information or services in a computer system. LogicNets uses secure cookies to avoid a URL with a session id being copied across browsers and clients. This prevents the hijacking of a session.
Prevention
Session hijacking prevention is enabled by default when your application uses HTTPS, but the browser must support session cookies for this to work. If the browser does not support session cookies, they are disabled, or the URL is opened on another browser, LogicNets displays the following message:
"You do not have access to this session."
The LogicNets runtime shares the session cookie between all sessions of the same browser on a client's machine. The system renews this session cookie at every login and each time a new session is created.
Disabling Session Hijacking Prevention
While we do not recommend it, you can disable session hijacking prevention in the configuration file on the server. You must edit or create a new configuration file located at /dat/bnt//settings.cfg and you must add the following lines to the configuration file:
_global = _global or {}
_global.SECURITY = _global.SECURITY or {}
_global.SECURITY.DISABLE_SESSION_PINNING = 1
Safari Browser and iFrames
By default, the Safari browser blocks the setting of session cookies when a user opens a web page in an iFrame. You can disable this by changing the settings in you Safari browser. Go to Privacy and Security > "do not track" or by disabling session hijacking prevention.
NOTE: In IE/EDGE, cookies for domains that contain one or more _ (underscore symbol) will not be stored, making it impossible to use HTTPS. The underscore symbol is formally an illegal character for a domain name. Because of this, the use of underscores is discouraged.