OpenWGA 7.10 - OpenWGA Concepts and Features

Administration » Security » Advanced security features

Use OpenWGA session manager

This security measure is only available to installations of the OpenWGA Enterprise Edition.

The session manager component of an OpenWGA system is responsible for managing user sessions, the data that are stored on them and for distributing these sessions across the nodes of a cluster. Normally OpenWGA installations use the session manager from the underlying Apache Tomcat webapp server.

OpenWGA 6.3 saw the introduction of the "OpenWGA session manager", an optional replacement which, among other features, provides some additional security measures not available on the Tomcat session manager:

  • It uses separate session ids for HTTP and HTTPS access. If a user goes from HTTP to HTTPS a new session is created with the existing data of the old HTTP session copied to it. It has a new session id which is stored on the client in a cookie that is only accessible via HTTPS. This session ID therefor is never transmitted using unencrypted transport. This prevents session hijacking attacks, where some attacker tries to intercept and use the ID of a currently live user session. The old session HTTP ID, which was transmitted on unencrypted transport and is therefor potentially interceptable only addresses the data that was used while using unencrypted access.
  • It does not use and support the JSESSIONID path component in URLs which Tomcat session manager uses at some situations. This technique is infamous for its usability for session fixation attacks where an attacker lets some user access a system with a pre-defined session to which the attacker has access, for example by making him use a URL that includes a session id.

Note that switching to the OpenWGA Session Manager will invalidate all current user sessions!

Configure usage of the OpenWGA Session Manager the following way:

  • Enter "Expert mode" by checking the checkbox to the top right
  • On OpenWGA admin client menu choose "Configuration > Advanced Configuration"
  • Change to tab "HTTP Session Management" and click button "Edit" there
  • Check checkbox "HTTP session management enabled"
  • On setting "HTTP session manager implementation" choose "OpenwGA Enterprise HttpClusterSessionManager". (Note that, despite its name, this session manager is also usable on non-cluster installations)
  • Click button "save"