Session Handler

Purpose

This handler is ignored in detection mode.

With an active session handler, vWAF establishes a separate, secure session between the web server and the client. A cryptographically secure session ID is transferred into a cookie in the process (the name of this cookie can be specified in the Global Configuration).

This handler is required and relevant to the Cookie Jar Handler.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Activating this handler is a requirement for many of the other handlers. It should always be active. To simplify configuration, you can also use the Secure Session Wizard.

Attributes

Attribute Meaning

timeout

Period in seconds after which a session is ended automatically following user inactivity.

SSLsession

Activate this option if you want vWAF to use the SSL connection session in the case of an SSL connection, rather than establishing a session itself.

ATTENTION
Microsoft Internet Explorer negotiates new SSL session IDs at regular intervals, thus preventing the efficient use of this option.

URLSession

Usually, vWAF writes the secure session ID to a cookie. When you enable the option URLSession, vWAF instead inserts the session ID into the URL of responses.

In general, we recommend to disable the option URLSession and to use the session cookie when possible.

ATTENTION
Parsing responses and inserting session IDs into the URLs may have a negative impact on performance. Use the attribute URLSessionContentTypes to limit the procedure to those responses that actually contain response URLs.

URLSessionContent Types

Only has an effect if the option URLSession is enabled.

Here you must specify which types of responses may contain session IDs. Usually, this is text/html and text/xml, but no images and no downloads.

CookieSecure

When this option is enabled, cookie communication is limited to encrypted transmission.

In this case, the user's browser returns the cookie only for HTTPS requests. Only makes sense if your web application can be called via HTTPS.

CookieHttpOnly

When this option is enabled, cookies are only used via HTTP. Plugins, such as JavaScript, then can't read the cookie.

Only makes sense if no JavaScript XMLHttpRequests to the same web application are used.

limitNewSessions PerIP

Activate this option if you want vWAF to establish a specific maximum number of sessions per IP address only. Additional requests are denied with the error code 503 (service unavailable).

As automatic scripts don't support any sessions, for example, these establish a new session with each request. For example, in this case you could restrict the maximum number of sessions to 10 per IP address, but you should then create a whitelist with IP addresses that you know many users use for access via proxies (see attributes below).

limitNewSessions PerIPperMinute

Maximum average number of new sessions per IP address and minute. You can also specify decimal fractions with a dot as the decimal indicator. Example: 10.5

The calculation is carried out in accordance with the token bucket procedure. The attribute limitNewSessionsperIPBurst forms the bucket, and the attribute limitNewSessionsperMinute determines the number of tokens.

This specification only has an effect if the option limitNewSessionsPerIP has been activated.

limitNewSessions PerIPBurst

Maximum number of new sessions per IP address.

This specification only has an effect if the option limitNewSessionsPerIP has been activated.

limitNewSessions PerIPwhitelist

Ranges of IP addresses for which the restrictions made under limitNewSessionsPerIPBurst and limitNewSessionsPerIPperMinute do not apply.

Specification in the format xxx.xxx.xxx.xxx/xx (for syntax, see Specifying IP Addresses).

This whitelist only has an effect if the option limitNewSessionsPerIP has been activated.

usertext

Optional:

Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

enable logging

Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries.

When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.