How to: Getting started with session management in Exact Synergy Enterprise

Introduction

Note: The Federated Identity feature is only available for the controlled release participants.

A session is an identifier for a conversation between two or more communicating devices. In the context of Exact Synergy Enterprise, a session represents a conversation between the web browser and the server by using the application. Session management refers to the tracking, processing, and protection of these sessions. Session management is especially important for preventing potential attack or hijack of a session.

Session management in Exact Synergy Enterprise offers the following features that help in managing sessions:

•  Session timeout
•  Logging off
•  Concurrent user checks
•  User access logging
  

Session timeout

Exact Synergy Enterprise can be configured with an absolute session timeout; this improves the security of the application by reducing the risk in which an attacker can steal and use an existing user session.

The absolution session timeout function can be enabled or disabled by the administrator. When the function is enabled, the administrator can also set the duration of user sessions, after which it will time out. When a session is timed out, a new session is required. Depending on the authentication mode of Exact Synergy Enterprise, the new session may be acquired automatically or may be acquired by prompting the user to log in.

1. Using Windows authentication and basic authentication, a new session is acquired automatically.
2. Using federated identity authentication and form authentication, a new session is acquired by prompting the user to login. 

To define the session timeout: 

1. Go to Modules ? System ? Setup ? Session Management ? Settings.
2. On the Session Management: Settings page, select the Enabled check box in the Session Timeout section. By default, this check box is selected.
3. Define the duration (in seconds) after which a session should expire. By default, “86400” (24 hours) is defined at Duration.
   
   

For more information, see Setting up session management.

Note:

•  A session is a representation of the presence of a user on a web site or application. The session (and session ID) is issued by the web server based on the domain and browser used to access the web site or application. This is a constraint of the web server and is depicted in the following:

Browser	Exact Synergy Enterprise	Result
Same browser	Single instance of Exact Synergy Enterprise	All tabs share the same session (and session ID).
Same browser	Multiple instances of Exact Synergy Enterprise on the same web domain, but different virtual directories	All Exact Synergy Enterprise sessions share the same session ID, across virtual directories. For example, -    Tab 1 accesses SynergyA -    Tab 2 accesses SynergyB Both tabs have the same session ID.   Note: Each Exact Synergy Enterprise session, however, will have its own expiration date.
Same browser	Multiple instances of Exact Synergy Enterprise, each on a unique domain	All Exact Synergy Enterprise sessions have an individual session ID per domain.

• When using multiple tabs in a single session, the first tab that experiences a session timeout will redirect the user to the login page. However, if the user does not log in via the first tab and attempts to perform an action in the other tabs, the user will be redirected to the login page in the IFRAME only. This is a constraint of the web server as once the session has been expired by the web application, subsequent checks on the session will be handled by the web server and not the web application. It is the web server that redirects the user to the login page within the IFRAME.

Logging off

Using the form authentication or federated identity authentication, you can end a session to avoid the session from being stolen by a third party, by clicking Log off.

There is no specific setting for the log off functionality as it will be automatically enabled for the supported authentications.

Concurrent user checks

As concurrent user sessions can present as a potential security risk because an attacker can steal a user’s previous session to access the system, you can disable concurrent sessions in Exact Synergy Enterprise. This function is available only when Exact Synergy Enterprise is using the form authentication or federated identity authentication; it is not possible to disable concurrent user sessions when using the Windows authentication.

When concurrent user sessions are disabled, Exact Synergy Enterprise will allow only one user session to be active. Only the most recent session will remain active. If a user tries to perform an action on a session that has been deactivated, the user will be redirected to login page again.

To set up checks on concurrent sessions:

1. Go to Modules ? System ? Setup ? Session Management ? Settings.
2. On the Session Management: Settings page, select the Enabled check box in the Concurrent sessions section to allow concurrent sessions. When enabled, concurrent user logins in Exact Synergy Enterprise are allowed. When disabled, concurrent user logins in Exact Synergy Enterprise are not allowed.

For more information, see Setting up session management.

Note:

• The function for concurrent user sessions is applicable only for the federated identity authentication and the form authentication authentication types.
•  Administrators can enable or disable the concurrent user sessions at Modules ? System ? Setup ? Session Management ? Settings. When the system is using the federated identity authentication or form authentication, the setting is disabled by default. When the system is using the Windows authentication, the setting is enabled and cannot be changed.
•  A user session is defined by the web server (IIS) and is identified by a session ID. In a single browser, multiple tabs share the same session ID, and therefore, are considered as part of the same user session. Browsers that use private/incognito mode are given separate session IDs from when they are used in non-private/incognito mode, and so are considered as two different user sessions.
• When concurrent user sessions are disabled, a user can perform an action only in the most recent user session. If a user attempts to perform an action in a user session that is not the most recent (or has been deactivated), the user will be redirected to the login page.
• There are some special scenarios due to technical and architecture reasons:
• User delegation is considered part of the original user’s session. If user A delegates to user B, the session still belongs to user A, and not to user B.
• When a user logs out of delegation and returns to his session, the system creates a new session automatically (giving it a new session ID). This is the only exception where a user is not prompted to log in.
• When the database has not been updated to product update 260, the system will not perform checks on concurrent sessions. The feature will temporarily be disabled until the database update is performed and this will only occur once. The access in this session will remain granted even after the user manages to update the database, until the user ends the session manually by closing the browser and/or logging off from the system.

User access logging

For better access control, there are two reports available that give an insight to all successful and failed login attempts and information whenever a user encounters an “access denied” message in Exact Synergy Enterprise.

Note:

• Logging for successful and failed login attempts is available only for the form authentication.
• Logging of “access denied” encounters is available for the form authentication, federated identity authentication, basic authentication, and Windows authentication.

 Log: Login report

The Log: Login page accessed via Modules ? System ? Reports ? Log ? Login, displays the login information, such as the login date and time, person, and status. For users that failed to log in, “ExactWebGuest” will be displayed in the Person column.

For more information, see Viewing login report.

Log: Application report

The Log: Application page accessed via Modules ? System ? Reports ? Log ? Application, displays the pages that have been accessed and the people who have accessed those pages.

If a user has been denied access to any of the pages, the information will be displayed with the message, “Access Denied : <name of the application page>”. For more information, see Application log report.

Related documents

• Setting up session management
• Viewing login report
• Application log report