NF12 Session Fingerprinting

From iDempiere en

Feature: Session Fingerprinting

Description

Goal: Security

Developer: Carlos Ruiz

Sponsor: Trek Global

To make iDempiere more secure this feature implements fingerprinting on sessions.

This is configurable and extensible. Configurable simply using SysConfig keys, and extensible using OSGi extensions for the interface ISessionFingerprintComponent.

SysConfig keys

The following relevant System Configurator keys were added:

  • ZK_SESSION_SAVE_JSESSIONID: This is a Y/N flag defaulting to N. The value of jsessionid has been saved in AD_Session.WebSession, which represents a potential risk. So, after this feature is implemented the jsessionid is not saved anymore, just an indicator "zkwebui" to register where the session was created. In case is needed, you can set this SysConfig to Y and it will be saved again (not recommended).
  • ZK_SESSION_SAVE_USER_AGENT: Similarly, in AD_Session.Description the User Agent has been saved, as this is being used now for fingerprinting, it is better to keep it out. In case is needed, you can set this SysConfig to Y and it will be saved again.
  • ZK_SESSION_FINGERPRINT_ENABLED: This is a Y/N flag defaulting to Y. By default the session fingerprinting is enabled. In case you want to disable it (not recommended) you can set this flag to N.

NOTE: The AD_Session records are registered in System tenant and can be checked using the window System Issue Report

Fingerprint values

There are three fingerprinting values at this moment: Accept-Language, User Agent and the IP address, each one with different implications.

So, the following three SysConfig keys allows to define the action to be taken when a variation on the fingerprint is detected.

The possible values are:

  • N -> Nothing: the value is not used for fingerprinting
  • W -> Log Warning: log a warning, these events will be registered in the iDempiere logs to be monitored
  • L -> Log Severe: log a severe warning, additional to the iDempiere log the event is registered in the AD_Issue table, here it could be possible to monitor to take further actions like notifying users
  • S -> Stop: Terminate the session immediately, when a variation in the fingerprinted value happens the user is logged out immediately and a severe log is registered in AD_Issue and the logs

Keys:

  • ZK_SESSION_FINGERPRINT_CHECK_ACCEPT_LANGUAGE: Defaults to (S)top. Accept Language tends to be a very stable variable within a browser, so the default is to terminate the session when a variation happens within the session. This could happen also if a User changes the browser language in the middle of a session, in this case it will be registered and logged out, and the user will need to login again.
  • ZK_SESSION_FINGERPRINT_CHECK_IP: Defaults to (L)og Severe. Because IP address changes are very easy to happen, for example when changing wifi, or connecting to a VPN, the default for this event is to log it in AD_Issue and the logs. You can monitor these events and in suspicious cases let the user know about. Also, if your environment is fixed (f.e. users needs to log within a specific IP address) then you can consider changing this flag to (S)top.

Extending fingerprinting

It is possible to extend fingerprinting by adding more components, to do that you can create a class implementing the interface org.adempiere.webui.session.fingerprint.ISessionFingerprintComponent and registering as an OSGi service.

Probably you would like also to add the corresponding SysConfig key to define the action to be taken by your fingerprint component.

For an example about how to do that you can check the three components already implemented in core: IPAddressFingerprintComponent, UserAgentFingerprintComponent and AcceptLanguageFingerprintComponent.

Some examples of potential additional values used for fingerprinting can be (some would require javascript):

  • Time zone offset
  • Screen resolution
  • Color depth
  • Platform/OS - in case you disable the User-Agent, still could extract this value for fingerprinting
  • WebGL


Technical Info: IDEMPIERE-6809

Retrieved from "https://wiki.idempiere.org/w-en/index.php?title=NF12_Session_Fingerprinting&oldid=23652"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
GNU-Lizenz für freie Dokumentation 1.3 oder höher
Powered by MediaWiki