Skip to main content
Skip table of contents

Enable Protection Against Session Hijaking - SuperWEB2

To provide an enhanced level of security for SuperWEB2, you can enable the following two configuration parameters in <tomcat_home>\webapps\webapi\WEB-INF\web.xml. These parameters are commented out by default:

XML
<!-- Session UserAgent Filter -->
<!-- 
<filter>
  <filter-name>SessionUserAgentFilter</filter-name>
  <filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionUAFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionUserAgentFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>
-->
    
<!-- Session IP Filter -->
<!-- 
<filter>
  <filter-name>SessionIPFilter</filter-name>
  <filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionIPFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionIPFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>
-->

Remove the comments to activate user agent and IP address filtering:

XML
<!-- Session UserAgent Filter -->
<filter>
  <filter-name>SessionUserAgentFilter</filter-name>
  <filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionUAFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionUserAgentFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>
    
<!-- Session IP Filter -->
<filter>
  <filter-name>SessionIPFilter</filter-name>
  <filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionIPFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionIPFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>

When these parameters are enabled, SuperWEB2 will validate the user's IP address and browser. If those details change during the session then the user will be logged out automatically.

This reduces the risk of a user's session token being captured and used to hijack their session.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.