Configuring session validation

This section describes properties that are available to ensure that an Infor Lawson session has not been tampered with.
  1. In an editor, open this file to configure session validation properties:

    Infor Lawson System Foundation: LAWDIR/system/lawsonsecurityva.properties

    Landmark: LASYSDIR/lawsonsecurityva.properties

  2. Configure the properties that you need to use.
  3. Restart the security server (LASE) and any application servers that deploy the SSOServlet.

    This table shows the session validation properties and their values and descriptions:

    Property Values / Description Potential impact / Other notes
    secure.cookie.enabled

    If enabled (true), the secured cookie feature adds a second session cookie called H.LWSN which contains:

    • Hash value of the session cookie

    • Username and IP address of the client machine

    H.LWSN is used to validate the C.LWSN session cookie to limit the risk of session theft.

    Default value: False
    originating.ipaddress.lock.enabled

    If enabled (true), a session is locked to the IP-address of the client when the session began. This reduces the risk of session theft.

    If the client changes the IP address during the session, which might happen, for example, when accessing multiple WiFi access points, the session is terminated.

    Default value: False
    set.cookie.secure

    If enabled (true), the session cookie is set to Secured which means it will only transfer if the protocol is HTTPS.

    This setting should only be used if assertion protocol is set to "Use HTTPS always".

    Default value: False

    		 Cookies will not be transmitted over a non-secure network connection.
    destroy.expired.session
    Note: 

    Most Infor Lawson customers should leave this option disabled.

    If this featured is enabled (true), the session object is discarded when expired and a new object (with a new session ID) is created at relogon. This feature is not compatible with permitting users to access multiple products in a single session through single sign-on.

    Default value: False

    		 This feature is not compatible with permitting users to access multiple products in a single session through single sign-on.
    prevent.session.fixation

    If this feature is enabled (true), any session ID cookie supplied during logon and set a new session ID cookie is discarded at successful logon. This avoids the possibility that predictable session IDs could be used by a malicious user.

    Default value: False
    url.redirect.check

    If enabled (true), this feature protects against the type of phishing attacks in which a link shows an Infor logon screen but then redirects the user to a malicious site after logon.

    The feature validates the _origUrl parameter to ensure that it contains only values specified in registered services and http endpoints.

    If you are enabling this property, you must provide an action for invalid URLs by setting the url.redirect.action property.

    Default value: False

    		 There is a potential for false positives with this property. The system might block genuine redirect URLs if they resemble unsafe URLs.
    url.redirect.action

    If the url.redirect.check property is enabled, use this property to define the action to be taken when an invalid or suspect URL is provided.

    Options are:

    • Warn: A warning message that tells the user the link is suspect but the link is provided and can be accessed by the user.

    • Block: The link is blocked. A page appears notifying the user.

    • None (default): If the url.redirect.check property is disabled, leave this property set to None.

    		 There is a potential for false positives with this property. The system might block genuine redirect URLs if they resemble unsafe URLs.
    validate.http.method

    If enabled (true), this feature ensures that only the http method POST is made for login/logout. GET calls fail.

    Default value: False

    		 There is a potential for false positives with this property. The system might block genuine login/logout requests.
    domain.authorization.log.denied.access If enabled (true), all denied access attempts are logged in the security authentication file (security_authen.log).

    See Viewing the security authentication log file through the command line.

    		Writing to log files consumes system resources.
    xss validation properties Properties for xss validation appear in this file but they cannot be configured here. Configure them through the file xssvalidators.properties.

    See Configuring XSS (cross-site scripting) validation.

    When XSS validation is enabled, some HTTP requests that contain safe content but which resembles XSS signatures may be blocked.
    cachecontrolheader.enabled

    If enabled (true), the "Cache-Control" HTTP response header will be set on web pages. The default value of the header will restrict the browser from caching the web pages.

    Default value: False

    		There is a potential for performance issues with this property due to overhead from pages that are not cached on proxy servers and in client browsers.
    cachecontrolheader.value

    If the cachecontrolheader.enabled property is set to true, use the cachecontrolheader.value property to specify the value of the Cache-Control header.

    Default value: No-store, no-cache, must-revalidate, private, proxy-revalidate

    		When the default value is used, there is a potential for performance issues with this property due to overhead from pages that are not cached on proxy servers and in client browsers.
    clickjackingdefences.isenabled

    If enabled (true), the Single Sign On page will not be displayed in a frame as a way to prevent clickjacking attacks.

    Note: 

    Leave this property set to false when using Infor OS Portal (or Infor Ming.le) or Lawson Portal.

    Default value: False

    useragent.xss.validation.enabled

    If enabled (true), the User-Agent HTTP request header will be analyzed to detect and block cross-site scripting (XSS) attacks.

    Default value: False

    		There is a potential for false positives with this property. Genuine requests might be blocked if the client browser is unknown to the system.
    useragent.block.unknowntypes

    If enabled (true), the system will block requests that have a User-Agent request header that is unknown to the system. The system treats unrecognized user-agents as "unsafe".

    Default value: False

    		There is a potential for false positives with this property. Genuine requests might be blocked if the client browser is unknown to the system.
    http.splitting.check.enabled

    If enabled (true), HTTP requests will be scanned to detect HTTP response splitting attacks. If an attack is detected, the request will be blocked or monitored. The mitigation action is set through the "http.splitting.check.action" property.

    Default value: False

    		There is a potential for false positives with this property. Genuine requests that contain certain combinations of carriage return and line feed characters might be blocked.
    http.splitting.check.action

    If "http.splitting.check.enabled" property is enabled, use this property to choose the mitigation action when a response splitting attack is detected.

    Options are:

    • BLOCK: The HTTP request will be blocked.

    • MONITOR: The HTTP request will not be blocked but the incident will be recorded in security.log file.

    Default value: BLOCK

    When set to "BLOCK", the system may block genuine requests.

    When set to MONITOR, the system will allow requests regardless if they are safe requests or potential attacks.
    xxssprotection.header.enabled

    If enabled (true), the "X-XSS-Protection" header will put on HTTP responses. The value will be set to "1; mode=block". This header instructs the client browser to enable its XSS filtering capabilities.

    Default value: False

    		There is a potential for false positives with this property. The browser might block a legitimate Javascript from running when it detects a cross-site scripting attack.
    anti.mime.sniffing.enabled

    This measure is intended to prevent drive-by-download attacks.

    If enabled (true), the "X-Content-Type-Options: nosniff" header is set on HTTP responses. This header prevents the client browser from MIME-sniffing a response away from the declared content-type.

    Default value: False

    		There is a potential for false positives with this property. The browser might render a page incorrectly if it was developed without the correct "Content-Type" response header.
    CheckAllHeaders

    If enabled (true), the system will scan the HTTP request headers. The request is blocked if malicious data is found on the headers.

    Default value: False

    		There is a potential for false positives with this property. The system might block genuine requests if the headers resemble cross-site scripting attacks.
    CheckAllCookies

    If enabled (true), the system will scan the HTTP request cookies. The request will be blocked if a malicious data were found on the headers.

    Default value: False

    		There is a potential for false positives with this property. The system might block genuine requests if the headers resemble cross-site scripting attacks.
    xframeoptions.enabled

    If enabled (true), the X-Frame-Options HTTP response header will be put on the single sign-on and Infor Security Services (ISS) web pages. This header helps prevent clickjacking attacks by instructing the browser not to render the page if it is embedded on another page.

    Note: 

    When this property is enabled, some pages that should render properly might not. If this happens, use the contentsecuritypolicy.frameancestors.enabled property instead.

    Default value: False

    There is a potential for false positives with this property. The login page might not render properly inside Lawson Portal unless xframe.options.value is set to "ALLOW-FROM https://<host>:<port>" where host and port is the endpoint of Lawson Portal or Infor Ming.le.
    xframeoptions.value

    If the xframeoptions.enabled property is set to true, use the xframeoptions.value property to specify the actual value of the X-Frame-Options HTTP response header. Options are:

    • SAMEORIGIN: The page can only be displayed in a frame on the same origin as the page itself.

    • ALLOW-FROM: The page can only be displayed in a frame on the specified URI. If ALLOW-FROM is used, specify the URL by adding a new flag with the following format:

      xframeoptions.services.allowfrom.<service name in all caps>=<URL>

      For example:

      xframeoptions.services.allowfrom.GEN.LAW-ENV.LSUSERAPP=http://cloud.infor.com

      The recommended value of the URI is the URI of the primary authenticating service or the Infor OS Portal (or Infor Ming.le) URI if you are using Infor OS Portal (or Infor Ming.le).

    Default value: False

    There is a potential for false positives with this property. The login page might not render properly inside Lawson Portal unless xframe.options.value is set to "ALLOW-FROM https://<host>:<port>" where host and port is the endpoint of Lawson Portal or Infor Ming.le.

    xframeoptions.services.enabled

    If enabled (true), the X-Frame-Options HTTP response header is set on pages of services participating in SSO. This header helps prevent clickjacking attacks by instructing the browser not to render the page if it is embedded on another page.

    Note: 

    This property, when enabled, may cause some pages not to render properly. When this happens, use the contentsecuritypolicy.frameancestors.enabled property instead.

    Default value: False

    There is a potential for false positives with this property. Some pages might not to render properly inside Lawson Portal or Infor Ming.le unless the resulting X-Frame-Options header value is the endpoint of Lawson Portal or Infor Ming.le.

    contentsecuritypolicy.frameancestors.enabled If enabled (true), the Content-Security-Policy HTTP response header with the "frame-ancestors" directive will be put on web pages. Similar to X-Frame-Options header, it helps prevent clickjacking by instructing the browser not to render the page if it is embedded on another page. Default value: false

    There is a potential for false positives with this property. Some pages might not to render properly inside Lawson Portal or Infor Ming.le unless the resulting X-Frame-Options header value is the endpoint of Lawson Portal or Infor Ming.le.

    contentsecuritypolicy.frameancestors.value

    If the contentsecuritypolicy.frameancestors.enabled property is set to true, use the contentsecuritypolicy.frameancestors.value property to specify a space-delimited list of URIs that will be allowed to embed the pages.

    For example: contentsecuritypolicy.frameancestors.value

    https://lsfdomain.lsfhost.com

    https://lmrkdomain.lmrkhost.com

    https://mingledomain.minglehost.com

    The recommended value is a space-delimited list of URIs of the Infor Landmark, Infor LSF and Infor OS Portal (or Infor Ming.le) hosts

    Default value: *

    There is a potential for false positives with this property. Some pages might not to render properly inside Lawson Portal or Infor Ming.le unless the resulting frame-ancestors directive value is the endpoint of Lawson Portal or Infor Ming.le.

Example lawsonsecurityva.properties file

Following is an example of the properties file showing features enabled.

#Configuration for cookie security, session locked to same IP address
secure.cookie.enabled=false
originating.ipaddress.lock.enabled=true
#Set the Secure flag on session cookies
set.cookie.secure=true
#Destroy session on relogon after session expiration
destroy.expired.session=false
#Prevent session fixation by not permitting session cookies before logging in
prevent.session.fixation=true

#Enable URL redirect validation
url.redirect.check=true
#The action to take on an invalid URL is either to display a warning page or to block the redirection. Use the words Warn or Block.
url.redirect.action=Block
#Enable validation of used http method. If enabled only POST can be used for login/logout.
validate.http.method=true
#Enable logging for denied access by the Domain Authorization.
domain.authorization.log.denied.access=false
#Cross-Site Scripting validation
xssvalidation.enabled=true
#List validator names here. Comma separated
xss.validators=LdapInjection,ScriptTag,Hex,SQLInjection
#Options are:
#ScriptTag
#SQLInjection
#Hex
#LdapInjection
#Cache-Control response header.
cachecontrolheader.enabled=true
cachecontrolheader.value=no-store, no-cache, must-revalidate, private, proxy-revalidate
#Recommended value is: no-store, no-cache, must-revalidate, private, proxy-revalidate
#Click-jacking defensive script
clickjackingdefences.isenabled=false
#Enable XSS validation on client types (user-agent)
useragent.xss.validation.enabled=true
#Block unknown client types (user-agent)
useragent.block.unknowntypes=true
#Activate session timeout notification 
session.timeout.activatenotification=false
#Detect HTTP response splitting. Specify BLOCK or MONITOR action for detected attacks.
http.splitting.check.enabled=true
http.splitting.check.action=BLOCK
#Enable XSS Protection feature of the client browser
xxssprotection.header.enabled=true
#Prevent mime-sniffing based attacks
anti.mime.sniffing.enabled=true
CheckAllCookies=true
CheckAllHeaders=true 
#Use X-Frame-Options response header
xframeoptions.enabled=true
xframeoptions.value=SAMEORIGIN
 
#Use the Content-Security-Policy: frame-ancestors response header
contentsecuritypolicy.frameancestors.enabled=true
contentsecuritypolicy.frameancestors.value=https://lsf.host.com:443/ https://lmrk.host.com:443/ https://informingle.host.com:443/

#Use X-Frame-Options response header for ALL services. Value can be SAMEORIGIN or ALLOW-FROM.
#If ALLOW-FROM is used, specify the URL by adding a new flag with the following format:
#xframeoptions.services.allow-from.<service name in all caps>=<URL>
#example: xframeoptions.services.allow-from.GEN.SERVICE.WEBAPP=http://lmrk.host.com
xframeoptions.services.enabled=true
xframeoptions.services.value=SAMEORIGIN