Configuring session validation
This section describes properties that are available to ensure that an Infor Lawson session has not been tampered with.
This table shows the session validation properties and their values and descriptions:
Property | Values / Description | Potential impact / Other notes |
---|---|---|
secure.cookie.enabled |
If enabled (true), the secured cookie feature adds a second session cookie called H.LWSN which contains:
H.LWSN is used to validate the C.LWSN session cookie to limit the risk of session theft. Default value: False |
|
originating.ipaddress.lock.enabled |
If enabled (true), a session is locked to the IP-address of the client when the session began. This reduces the risk of session theft. If the client changes the IP address during the session, which might happen, for example, when accessing multiple WiFi access points, the session is terminated. Default value: False |
|
set.cookie.secure |
If enabled (true), the session cookie is set to Secured which means it will only transfer if the protocol is HTTPS. This setting should only be used if assertion protocol is set to "Use HTTPS always". Default value: False |
Cookies will not be transmitted over a non-secure network connection. |
destroy.expired.session |
Note:
Most Infor Lawson customers should leave this option disabled. Default value: False |
This feature is not compatible with permitting users to access multiple products in a single session through single sign-on. If this featured is enabled (true), the session object is discarded when expired and a new object (with a new session ID) is created at relogon. This feature is not compatible with permitting users to access multiple products in a single session through single sign-on. |
prevent.session.fixation |
If this feature is enabled (true), any session ID cookie supplied during logon and set a new session ID cookie is discarded at successful logon. This avoids the possibility that predictable session IDs could be used by a malicious user. Default value: False |
|
url.redirect.check |
If enabled (true), this feature protects against the type of phishing attacks in which a link shows an Infor logon screen but then redirects the user to a malicious site after logon. The feature validates the If you are enabling this property, you must provide an action for invalid URLs by setting the url.redirect.action property. Default value: False |
There is a potential for false positives with this property. The system might block genuine redirect URLs if they resemble unsafe URLs. |
url.redirect.action |
If the url.redirect.check property is enabled, use this property to define the action to be taken when an invalid or suspect URL is provided. Options are:
|
There is a potential for false positives with this property. The system might block genuine redirect URLs if they resemble unsafe URLs. |
validate.http.method |
If enabled (true), this feature ensures that only the http method POST is made for login/logout. GET calls fail. Default value: False |
There is a potential for false positives with this property. The system might block genuine login/logout requests. |
domain.authorization.log.denied.access | If enabled (true), all denied access attempts are logged in the security authentication file (security_authen.log). Viewing the security authentication log file through the command line | Writing to log files consumes system resources. |
xss validation properties | Properties for xss validation appear in this file but they cannot be configured here. Configure them through the file xssvalidators.properties. Configuring XSS (cross-site scripting) validation |
When XSS validation is enabled, some HTTP requests that contain safe content but which resembles XSS signatures may be blocked. |
cachecontrolheader.enabled |
If enabled (true), the "Cache-Control" HTTP response header will be set on web pages. The default value of the header will restrict the browser from caching the web pages. Default value: False |
There is a potential for performance issues with this property due to overhead from pages that are not cached on proxy servers and in client browsers. |
cachecontrolheader.value |
If the cachecontrolheader.enabled property is set to true, use the cachecontrolheader.value property to specify the value of the Cache-Control header. Default value: No-store, no-cache, must-revalidate, private, proxy-revalidate |
When the default value is used, there is a potential for performance issues with this property due to overhead from pages that are not cached on proxy servers and in client browsers. |
clickjackingdefences.isenabled |
If enabled (true), the Single Sign On page will not be displayed in a frame as a way to prevent clickjacking attacks. Note:
Leave this property set to false when using Infor Ming.le™ or Lawson for Infor Ming.le. Default value: False |
|
useragent.xss.validation.enabled |
If enabled (true), the User-Agent HTTP request header will be analyzed to detect and block cross-site scripting (XSS) attacks. Default value: False |
There is a potential for false positives with this property. Genuine requests might be blocked if the client browser is unknown to the system. |
useragent.block.unknowntypes |
If enabled (true), the system will block requests that have a User-Agent request header that is unknown to the system. The system treats unrecognized user-agents as "unsafe". Default value: False |
There is a potential for false positives with this property. Genuine requests might be blocked if the client browser is unknown to the system. |
http.splitting.check.enabled |
If enabled (true), HTTP requests will be scanned to detect HTTP response splitting attacks. If an attack is detected, the request will be blocked or monitored. The mitigation action is set through the "http.splitting.check.action" property. Default value: False |
There is a potential for false positives with this property. Genuine requests that contain certain combinations of carriage return and line feed characters might be blocked. |
http.splitting.check.action |
If "http.splitting.check.enabled" property is enabled, use this property to choose the mitigation action when a response splitting attack is detected. Options are:
Default value: BLOCK |
When set to "BLOCK", the system may block genuine requests. When set to MONITOR, the system will allow requests regardless if they are safe requests or potential attacks. |
xxssprotection.header.enabled |
If enabled (true), the "X-XSS-Protection" header will put on HTTP responses. The value will be set to "1; mode=block". This header instructs the client browser to enable its XSS filtering capabilities. Default value: False |
There is a potential for false positives with this property. The browser might block a legitimate Javascript from running when it detects a cross-site scripting attack. |
anti.mime.sniffing.enabled |
This measure is intended to prevent drive-by-download attacks. If enabled (true), the "X-Content-Type-Options: nosniff" header is set on HTTP responses. This header prevents the client browser from MIME-sniffing a response away from the declared content-type. Default value: False |
There is a potential for false positives with this property. The browser might render a page incorrectly if it was developed without the correct "Content-Type" response header. |
CheckAllHeaders |
If enabled (true), the system will scan the HTTP request headers. The request is blocked if malicious data is found on the headers. Default value: False |
There is a potential for false positives with this property. The system might block genuine requests if the headers resemble cross-site scripting attacks. |
CheckAllCookies |
If enabled (true), the system will scan the HTTP request cookies. The request will be blocked if a malicious data were found on the headers. Default value: False |
There is a potential for false positives with this property. The system might block genuine requests if the headers resemble cross-site scripting attacks. |
xframeoptions.enabled |
If enabled (true), the X-Frame-Options HTTP response header will be put on the single sign-on and Infor Security Services (ISS) web pages. This header helps prevent clickjacking attacks by instructing the browser not to render the page if it is embedded on another page. Note:
When this property is enabled, some pages that should render properly might not. If this happens, use the contentsecuritypolicy.frameancestors.enabled property instead. Default value: False |
There is a potential for false positives with this property. The login page might not render properly inside Lawson for Infor Ming.le unless xframe.options.value is set to "ALLOW-FROM https://<host>:<port>" where host and port is the endpoint of Lawson for Infor Ming.le or Infor Ming.le. |
xframeoptions.value |
If the xframeoptions.enabled property is set to true, use the xframeoptions.value property to specify the actual value of the X-Frame-Options HTTP response header. Options are:
Default value: False |
There is a potential for false positives with this property. The login page might not render properly inside Lawson for Infor Ming.le unless xframe.options.value is set to "ALLOW-FROM https://<host>:<port>" where host and port is the endpoint of Lawson for Infor Ming.le or Infor Ming.le. |
xframeoptions.services.enabled |
If enabled (true), the X-Frame-Options HTTP response header is set on pages of services participating in SSO. This header helps prevent clickjacking attacks by instructing the browser not to render the page if it is embedded on another page. Note:
This property, when enabled, may cause some pages not to render properly. When this happens, use the contentsecuritypolicy.frameancestors.enabled property instead. Default value: False |
There is a potential for false positives with this property. Some pages might not to render properly inside Lawson for Infor Ming.le or Infor Ming.le unless the resulting X-Frame-Options header value is the endpoint of Lawson for Infor Ming.le or Infor Ming.le. |
contentsecuritypolicy.frameancestors.enabled | If enabled (true), the Content-Security-Policy HTTP response header with the "frame-ancestors" directive will be put on web pages. Similar to X-Frame-Options header, it helps prevent clickjacking by instructing the browser not to render the page if it is embedded on another page. Default value: false | There is a potential for false positives with this property. Some pages might not to render properly inside Lawson for Infor Ming.le or Infor Ming.le unless the resulting X-Frame-Options header value is the endpoint of Lawson for Infor Ming.le or Infor Ming.le. |
contentsecuritypolicy.frameancestors.value |
If the contentsecuritypolicy.frameancestors.enabled property is set to true, use the contentsecuritypolicy.frameancestors.value property to specify a space-delimited list of URIs that will be allowed to embed the pages. For example: contentsecuritypolicy.frameancestors.value
The recommended value is a space-delimited list of URIs of the Infor Landmark, Infor LSF and Infor Ming.le hosts Default value: * |
There is a potential for false positives with this property. Some pages might not to render properly inside Lawson for Infor Ming.le or Infor Ming.le unless the resulting frame-ancestors directive value is the endpoint of Lawson for Infor Ming.le or Infor Ming.le. |
Example lawsonsecurityva.properties file
Following is an example of the properties file showing features enabled.
#Configuration for cookie security, session locked to same IP address
secure.cookie.enabled=false
originating.ipaddress.lock.enabled=true
#Set the Secure flag on session cookies
set.cookie.secure=true
#Destroy session on relogon after session expiration
destroy.expired.session=false
#Prevent session fixation by not permitting session cookies before logging in
prevent.session.fixation=true
#Enable URL redirect validation
url.redirect.check=true
#The action to take on an invalid URL is either to display a warning page or to block the redirection. Use the words Warn or Block.
url.redirect.action=Block
#Enable validation of used http method. If enabled only POST can be used for login/logout.
validate.http.method=true
#Enable logging for denied access by the Domain Authorization.
domain.authorization.log.denied.access=false
#Cross-Site Scripting validation
xssvalidation.enabled=true
#List validator names here. Comma separated
xss.validators=LdapInjection,ScriptTag,Hex,SQLInjection
#Options are:
#ScriptTag
#SQLInjection
#Hex
#LdapInjection
#Cache-Control response header.
cachecontrolheader.enabled=true
cachecontrolheader.value=no-store, no-cache, must-revalidate, private, proxy-revalidate
#Recommended value is: no-store, no-cache, must-revalidate, private, proxy-revalidate
#Click-jacking defensive script
clickjackingdefences.isenabled=false
#Enable XSS validation on client types (user-agent)
useragent.xss.validation.enabled=true
#Block unknown client types (user-agent)
useragent.block.unknowntypes=true
#Activate session timeout notification
session.timeout.activatenotification=false
#Detect HTTP response splitting. Specify BLOCK or MONITOR action for detected attacks.
http.splitting.check.enabled=true
http.splitting.check.action=BLOCK
#Enable XSS Protection feature of the client browser
xxssprotection.header.enabled=true
#Prevent mime-sniffing based attacks
anti.mime.sniffing.enabled=true
CheckAllCookies=true
CheckAllHeaders=true
#Use X-Frame-Options response header
xframeoptions.enabled=true
xframeoptions.value=SAMEORIGIN
#Use the Content-Security-Policy: frame-ancestors response header
contentsecuritypolicy.frameancestors.enabled=true
contentsecuritypolicy.frameancestors.value=https://lsf.host.com:443/ https://lmrk.host.com:443/ https://informingle.host.com:443/
#Use X-Frame-Options response header for ALL services. Value can be SAMEORIGIN or ALLOW-FROM.
#If ALLOW-FROM is used, specify the URL by adding a new flag with the following format:
#xframeoptions.services.allow-from.<service name in all caps>=<URL>
#example: xframeoptions.services.allow-from.GEN.SERVICE.WEBAPP=http://lmrk.host.com
xframeoptions.services.enabled=true
xframeoptions.services.value=SAMEORIGIN