Enable Protection Against Session Hijaking
To provide an enhanced level of security for SuperWEB2, you can enable the following two configuration parameters in <tomcat_home>\webapps\webapi\WEB-INF\web.xml. These parameters are commented out by default:
XML
<!-- Session UserAgent Filter -->
<!--
<filter>
<filter-name>SessionUserAgentFilter</filter-name>
<filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionUAFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionUserAgentFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
-->
<!-- Session IP Filter -->
<!--
<filter>
<filter-name>SessionIPFilter</filter-name>
<filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionIPFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionIPFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
-->Remove the comments to activate user agent and IP address filtering:
XML
<!-- Session UserAgent Filter -->
<filter>
<filter-name>SessionUserAgentFilter</filter-name>
<filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionUAFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionUserAgentFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
<!-- Session IP Filter -->
<filter>
<filter-name>SessionIPFilter</filter-name>
<filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionIPFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionIPFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
When these parameters are enabled, SuperWEB2 will validate the user's IP address and browser. If those details change during the session then the user will be logged out automatically.
This reduces the risk of a user's session token being captured and used to hijack their session.