Your laptops and networks are firewalled. Your cloud services have workload protection platforms and detection and response tools. But what about the data flowing between your users and your apps?
User sessions make a tempting target for hackers and criminals looking for a way into your business. They can compromise user sessions to harvest login credentials and access your databases. That can lead to cyber-ransom demands, misuse of accounts or the destruction of your business.
This is why more app owners and creators are looking at more granular security to protect sessions and session cookies from being compromised.
For non-IT security types, sessions are simply the time between when a user connects to your app or service, and when they leave it. Either by closing the app, logging off or leaving the app in the background, when the session will expire after a fixed time.
Monitoring these sessions are the wonderful session cookies, cousins of the traditional cookies that are part of the backbone of the internet. These temporary files identify the session, the user and some product features or user actions. At the user end, they get a token permitting access that expires when the session ends.
Every single internet connection, many billions per day, to an app, API or gated website uses session cookies or similar features like JSON Web Token (JWTs). They help with authentication and session management. Session cookies are created on the server and held in memory when accessing an application or website, maintaining the login as users move between pages or features.
The huge volume and repeat nature of web traffic make session cookies a tempting target for hackers. Most businesses assume their users and services are secure, but all it takes is an insecure WiFi connection or a compromised server, and criminals can gain access.
Hackers love breaching sessions as it helps them avoid other security features like multi-factor authentication. And, as a result, they can steal data, money or acquire digital assets for their own use.
Hackers use man-in-the-middle (MITM) attacks among other tricks like session sniffing and client side attacks to try and hijack the information from these cookies. Inbox-based MITM attacks are up 35% since last year alone and there are many other methods.
Once hackers have access to cookie information they can take over the session and cause havoc for that user’s account, or do further damage to your business operations.
Having got your attention, it is time to see how you can protect against the vulnerabilities typical across sessions and session cookies. There are three main weak points:
There are more detailed and nuanced articles about these weaknesses and how to mitigate them, but the primary solution is to utilize user session management to take greater control over sessions.
Recent real-world examples include Citrix NetScaler user session being exposed. This shows it can even happen to the professionals, causing global alerts for businesses large and small.
User session management (USM) is a specific tool or part of a security suite that creates rules to better protect your users and their sessions. By improving the strength and security of the session cookie/token, everyone is better guarded.
Some USM settings include:
Most security tools have a list of settings to protect your settings. If you don’t have one installed, tools like Nblocks can provide a simple and fast solution to protect your apps.
Nblocks has a simple feature in its Authentication settings to set the time limits for access and refresh token lifetimes to minimize the risk of a breach. These and other features in the free tool help protect apps and their users.
Typically you can add USM to your apps through a set of steps, follow the OWASP Session Management Cheat Sheet for a start. Most back-end services offer a few key settings to tweak. But with large volumes of sessions and requests, you may need automated tools to handle features like:
Larger firms use fully-rounded security tools, add AI and automation to scan every session for suspicious activity and new patterns. But you don’t have to be an IT security guru to ensure your app sessions are more secure, protecting both your business and users.
With an ever-growing range of threats and volume of traffic, a few simple steps to keep hackers out of sessions mean you can focus on the other threats and your business model. Your app will never be 100% secure, but every step to greater protection helps. And, alongside firewalls, virus checkers and cloud protection apps, ensuring your sessions are protected is a good step forward in securing your business.