const classafSleepSafe::SessionHijackGuard

sys::Obj
  afSleepSafe::SessionHijackGuard : afSleepSafe::Guard

Guards against Session hijacking by caching browser user-agent parameters and checking them on each request. The session is dropped and request rejected should the parameters change.

IoC Configuration

afIocConfig Key

Value

afSleepSafe.sessionHijackHeaders

CSV of request headers that are to be cached and compared. Defaults to User-Agent, Accept-Language.

afSleepSafe.sessionHijackEncrypt

If true (the default) then a hash of the header parameters is cached, and not the actual parameter values themselves. This is a security measure against the server / database being breached.

Example:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afSleepSafe.csrfTokenName"]    = "clickFast"
    config["afSleepSafe.csrfTokenTimeout"] = 2sec
}

To disable, remove this class from the SleepSafeMiddleware configuration:

@Contribute { serviceType=SleepSafeMiddleware# }
Void contributeSleepSafeMiddleware(Configuration config) {
    config.remove(SessionHijackGuard#)
}