Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Application Security Session Tracking
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Tracking application security sessions using login pages

You can track sessions using login pages configured from within Application Security Manager™ (ASM™), or have the policy retrieve the user names from Access Policy Manager®(APM™). This implementation describes how to set up session tracking for a security policy using login pages. The advantage of using session tracking is that you are able to identify the user, session, or IP address that instigated an attack.

When creating login pages for the application, you define the URLs, parameters, and validation criteria required for users to log in to the application. User and session information is included in the system logs so you can track a particular session or user. The system can log activity, or block a user or session if either generates too many violations.

If you configure session awareness, you can view the user and session information in the application security charts.

Task Summary

Creating login pages

In your security policy, you can create a login page to specify a login URL that presents a site that users must pass through to gain access to the web application. The login URL commonly leads to the login page of the web application.
  1. On the Main tab, click Security > Application Security > Sessions and Logins. The Login Pages List screen opens.
  2. In the Current edited policy list, verify that the edited security policy is the one you want to work on.
  3. Click Create. The New Login Page screen opens.
  4. For the Login URL setting, specify a URL that users must pass through to get to the application.
    1. From the list, select the type of URL: Explicit or Wildcard.
    2. Select either HTTP or HTTPS based on the type of traffic the web application accepts.
    3. Type an explicit URL or wildcard expression in the box. When you click in the field, the system lists URLs that it has seen, and you can select a URL from the list. Type explicit URLs in the format /login, and wildcard URLs without the slash, such as *.php.
  5. From the Authentication Type list, select the method the web server uses to authenticate the login URL’s credentials with a web user.
    Option Description
    HTML Form The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
    HTTP Basic Authentication The user name and password are transmitted in Base64 and stored on the server in plain text.
    HTTP Digest Authentication The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
    NTLM Microsoft® LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
  6. In the Access Validation area, define at least one validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application.
    Note: See the online help for definitions of the criteria.
  7. Click Create to add the login page to the security policy. The new login page is added to the login pages list.
  8. Add as many login pages as needed for your web application.
  9. In the editing context area, click Apply Policy to immediately put the changes into effect.
The security policy now has one or more login pages associated with it.
You can now configure how the login pages are enforced, including the authentication URLs, logout URLs, and whether or not the login pages have time limits.

Enforcing login pages

Login enforcement settings prevent forceful browsing by users to restricted parts of the web application by forcing users to pass through one URL (known as the login URL) before viewing a different URL (known as the target URL). You use the login enforcement settings to specify how the security policy enforces login pages including the expiration time, authenticated URLs, and logout URLs. You can also use authenticated URLs to enforce idle timeouts on applications that are missing this functionality.
  1. On the Main tab, click Security > Application Security > Sessions and Logins > Login Enforcement. The Login Enforcement screen opens.
  2. If you want the login URL to be valid for a limited time, set Expiration Time to Enabled, and type a value, in seconds.
  3. Specify the target URLs that users can access only by way of the login URLs:
    1. For the Authenticated URLs setting, type the target URL name in the format /private.php (wildcards are allowed).
    2. Click Add to add the URL to the list of authenticated URLs.
    3. Add as many authenticated URLs as needed.
  4. Optionally, specify the URLs used to log out of the web application:
    1. For the Logout URLs setting, type the URL in the format /logout.html (explicit URLs only).
    2. Click Add.
    3. Add as many logout URLs as needed.
  5. Click Save.
If you specify authenticated URLs and a user tries to bypass them, the system now issues the Login URL bypassed violation. If a user session is idle and exceeds the expiration time, the system now issues the Login URL expired violation, and the user can no longer reach the authenticated URLs. For both login violations, if the enforcement mode is blocking, the system now sends the Login Page Response to the client (see Application Security > Blocking > Response Pages).

Setting up session tracking

You can use session tracking to track, enforce, and report on user sessions and IP addresses. To perform tracking, you enable session awareness and indicate how to associate the application user name with the session. You can also determine whether to track violations and perform logging or blocking actions based on the number of violations per user, session, and IP address.
  1. On the Main tab, click Security > Application Security > Sessions and Logins > Session Tracking. The Session Tracking screen opens.
  2. In the Session Tracking Configuration area, for Session Awareness, select the Enabled check box.
  3. Use the Application Username setting to specify the login pages for the application:
    1. From the list, select Use Login Pages.
    2. Move the login pages for the application from the Available list to the Selected list. If the login page is not listed, click Add to create it.
  4. In the Violation Detection Actions area, select the Track Violations and Perform Actions, check box.
  5. In the Violation Detection Period field, type the number of seconds that indicates the sliding time period to count violations for violation thresholds. The default is 900 seconds.
  6. If you want the system to block all activity for a user, session, or IP address when the number of violations exceeds the threshold, specify one or more of the following settings on the Block All tab.
    Note: For the system to block requests, the security policy Enforcement Mode must be set to blocking (see Security > Application Security > Blocking > Settings) and some violations must be set to block.
    Option Description
    Blocked URLs Specify which URLs to block after the number of violations exceeds the enabled thresholds. To block all URLs, select Block all URLs. To block authenticated URLs protected by login pages, select Block Authenticated URLs.
    Username Threshold Select Enable and specify the number of violations allowed before the system starts to block this user's activity.
    Session Threshold Select Enable and specify the number of violations allowed before the system starts to block activity for this HTTP session.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system starts to block the activity of this IP address.
    Block All Period Specify how long to block users, sessions, or IP addresses if the number of violations exceeds the threshold. To block the user, session, or IP address indefinitely, click Infinite. Otherwise, click User-defined and type the number of seconds to block the traffic. The default is 600 seconds.
  7. If you want the system to log activity when the number of user, session, or IP address violations exceeds the threshold during the violation detection period, specify one or more of the following settings on the Log All Requests tab.
    Option Description
    Username Threshold Select Enable and specify the number of violations allowed before the system starts logging this user's activity for the log all requests period.
    Session Threshold Select Enable and specify the number of violations allowed before the system starts logging activity for this HTTP session for the log all requests period.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system starts logging the activity of this IP address for the log all requests period.
    Log All Requests Period Specify how long the system should log all requests when any of the enabled thresholds is reached. Type the number of seconds in the field.
  8. If you want more tolerant blocking for selected violations, such as those prone to false positives, specify one or more of the following settings on the Delay Blocking tab.
    Note: For the system to block requests, the security policy Enforcement Mode must be set to blocking (see Security > Application Security > Blocking > Settings) and the specified violations must be set to block.
    Option Description
    Username Threshold Select Enable and specify the number of violations a user must cause before the system begins blocking this user for the delay blocking period.
    Session Threshold Select Enable and specify the number of violations users must cause (during the violation detection period) before the system begins blocking this HTTP session for the delay blocking period.
    IP Address Threshold Select Enable and specify the number of violations allowed before the system begins blocking this IP address for the delay blocking period.
    Delay Blocking Period Type the number of seconds that the system should block the user, session, or IP address when any of the enabled thresholds is reached.
    Associated Violations Move the violations for which you want delay blocking from the Available list into the Selected list. If the selected violations occur, the system does not block traffic until one of the enabled thresholds is reached. At that point, the system blocks traffic causing those violations for the user, session, or IP address, but allows other transactions to pass.
  9. Click Save.
  10. In the editing context area, click Apply Policy to immediately put the changes into effect.
After you set up session tracking, if any enabled threshold exceeds the number of violations during the detection period, the system starts the configured actions (block all, log all requests, and delay blocking).

Monitoring user and session information

To monitor user and session information, you first need to set up session tracking for the security policy.
You can use the reporting tools in Application Security Manager™ to monitor user and session details, especially when you need to investigate suspicious activity that is occurring with certain users, sessions, or IP addresses.
  1. On the Main tab, click Security > Event Logs > Application > Requests. The Requests screen opens and shows all illegal requests that have occurred for this security policy.
  2. In the Requests List, click anywhere on a request. The screen displays details about the request including any violations associated with the request and other details, such as the source IP address, user name, and session ID.
  3. On the Request Details tab, in the General Details area, next to the Username, Source IP Address, or Session ID, click the Show Session Awareness details link. The screen displays the session awareness action flags that you can set.
  4. Update the settings for your selections, as appropriate.
    Option Description
    Log All Requests When set to Enabled, the system immediately begins to log activity for the user, session, or IP address and continues for the log activity period (600 seconds by default).
    Delay Blocking When set to Enabled, the system is immediately more tolerant of blocking selected violations (configured using Policy > Session Awareness. The delay lasts for the delay blocking period (600 seconds by default).
    Block All When set to Enabled, the system blocks all activity for this user, session, or IP address until further notice.
  5. On the menu bar, click Session Tracking Status. You can see the list of action flags that you previously set. You can also add or release action flags from the Session Awareness screen.
  6. To see a graphical view of the violations, from the Charts menu, choose Charts. The Charts screen opens where you can view pie charts and bar charts.
  7. In the Charts area, next to View by, click the viewing criteria for the report you want to see. For example, you can view information about illegal requests by user name, session ID, or IP address. Then you can filter the Requests list by the top violator and examine request details for the user, session, or IP address.
  8. Examine the charts and review the data you need. Click Export to create a PDF of any charts you want to save.
After you set up session tracking, you can monitor the specific requests that cause violations by examining each request and reviewing graphical charts. From the Requests list, you can also set up logging, delay blocking, or block all requests for a specific user, session, or IP address.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)