Validation of the client identifier for a session
We can configure IBM Security Verify Access to validate the client identifier to ensure that different clients do not attempt to use the session.
A client identifier can be the client's IP address or the contents of a configured HTTP header. The client identifier is associated with the session when the session is first established. WebSEAL then checks the client identifier on subsequent requests to ensure that a different client is not attempting to access the session.
If the client is able to connect directly to the WebSEAL server, the IP address of the client can be used to identify the client. However, if the WebSEAL traffic is routed through a network terminating firewall, the contents of an HTTP header (for example, the X-Forwarded-For header) can be used to identify the client.
We can configure the client identifier to be validated for a session with the client-identifier stanza entry. This identifier is added to the credential as the client_identifier attribute and is validated on subsequent requests to ensure the client does not change. See client-identifier for more information. If failover cookies are used, add the client_identifier credential attribute to the failover cookie by modifying the [failover-add-attributes] and [failover-restore-attributes] stanzas so the client identifier can persist across a failover event. This step prevents an attacker from establishing a new session from a different client with the failover cookie.
Parent topic: Session state overview
Related concepts
- Session state concepts
- Supported session ID data types
- Information retrieved from a client request
- WebSEAL session cache structure
- Deployment considerations for clustered environments
- Options for handling failover in clustered environments