Session Security

Content Type: Module
Categories: Utility,User Interface

Overview

The Session Security Module enhances application security by protecting against session hijacking, replay attacks, and unauthorized access using a layered validation approach.

It combines:

  • Device token tracking
  • Request fingerprinting
  • Session validation
  • Rate limiting
  • Identity verification flows

 

Documentation

Overview

 

The Session Security Module enhances application security by protecting against session hijacking, replay attacks, and unauthorized access using a layered validation approach.

It combines:

  • Device token tracking
  • Request fingerprinting
  • Session validation
  • Rate limiting
  • Identity verification flows

 

Key Features

 

 Device Token Management

  • Generates a secure random device token
  • Stored in HttpOnly, Secure cookies
  • Enables persistent device recognition

 

Device Fingerprinting

  • Built using:
    1. User-Agent
    2. IP Address
    3. Accept-Language
  • Detects suspicious session/environment changes

Session Validation

 

  • Validates device + session on every request
  • Detects hijacked or reused sessions

 Rate Limiting

 

  • Multi-layer protection:
    1. IP-based
    2. Session-based
    3. Fingerprint-based

Identity Verification Layer

 

  • Supports:
    1. Device-based verification
    2. Token-based validation
    3. Fallback verification without token

 

 Forced Logout

 

  • Immediate session invalidation
  • Useful for suspicious activities

Module Components

 

Java Actions

 

Action Name

Description

GenerateAndSetDeviceToken

Generates device token and sets secure cookie

GetCurrentDeviceFingerPrint

Generates fingerprint from request

GetDeviceTokenFromRequest

Extracts device token from cookie

GetCurrentCookieToken

Retrieves cookie token

GetSessionId

Returns current session ID

GetUserIP

Retrieves user IP

ForceLogoutSession

Terminates session

RateLimitation_IP_Fingerprint_Session

Advanced rate limiting

RateLimitationSessionBased

Session-based rate limiting

Logics

 

Logics

Description

ACT_Login

Secure login entry point with validation

SUB_SetDeviceTokeninCookieAndDB

Stores device token in cookie and database

SUB_VerifyUserIdentity

Validates user using device token + fingerprint

SUB_VerifyUserIdentity_WithoutToken

Handles users without device token (new device scenario)

SUB_RateLimitation_fingerprint

Fingerprint-based rate limiting

SUB_RateLimitation_Session

Session-based rate limiting

SUB_Sample

Example implementation flow

Login:

 

Use the nanoflow ACT_LoginViaMicroflow to automatically configure the session security and To validate use SUB_VerifyUserIdentity_WithoutToken or any verify microflow.

 

 

 

Releases

Version: 1.1.2
Framework Version: 10.24.14
Release Notes:

Fix applied for the production issue ticket 01 of auto-logout.

Version: 1.1.1
Framework Version: 10.24.14
Release Notes:

Automatic custom login and management of session cookie theft is implemented

Version: 1.1.0
Framework Version: 10.24.14
Release Notes:

A new approach to user login using a microflow, where all required measures are automatically handled through a single action is added.

Version: 1.0.0
Framework Version: 10.24.14
Release Notes:

The Session Security Module enhances application security by protecting against session hijacking, replay attacks, and unauthorized access using a layered validation approach.

It combines:

  • Device token tracking
  • Request fingerprinting
  • Session validation
  • Rate limiting
  • Identity verification flows