Using Cookie Protection
Set up cookie protection to prevent unauthorized access to user sessions by binding session cookies to the IP address of the client.
Session cookies enable authentication across multiple applications without repeated logins, but they cannot detect misuse. If stolen, attackers can use them to access accounts without further authentication.
Cookie protection enhances security by binding session cookies to the user's IP address at sign-in. The system will require the user to reauthenticate and can optionally end the server-side session for that account.
Two main cookies are used to manage single sign-on for protected applications:
-
Session cookie: This is the primary cookie that represents the user's single sign-on session. Its name has the prefix:
ORA_OCIS_. If an attacker steals a session cookie, they can gain access to the account specific to this session cookie. -
Preference cookie (Keep Me Signed In cookie): This cookie represents the user's "Keep Me Signed In" session. It allows users to skip the authentication process during subsequent visits after the initial authentication succeeds. Its name has the prefix:
ORA_OCIS_PREFS_
Cookie protection provides the following safeguards:
- Binds session cookies to IP addresses: When a user authenticates successfully, the session cookie that is created is bound to the user's IP address.
- Detects IP divergence: If a subsequent authentication request is made using the same session cookie from a different IP address, the system enforces mitigation actions.
-
Trusted Network Perimeters:
When IAM detects that a session cookie is being used from a different IP address than the one originally associated with the session, it checks if that new IP address is included in the list of Trusted IPs.
Tenant administrators can define Trusted IPs by adding a list of Network Perimeters in the cookie protection settings. At runtime, the system checks whether the IP address of an incoming request falls within any of these Network Perimeters.
- If the request’s IP address is within a trusted IP range, the system doesn't take any mitigation action.
- If the request’s IP address is not within a Trusted IP range, the system takes appropriate mitigation action.
-
- Mitigation:
Mitigation refers to the actions taken by the system when IP divergence is detected.
The following measures are taken by IAM.
- Force Re-authentication:
Forcing re-authentication requires the user to verify their identity using a 1st factor, even if their current session is still active and valid. This process ensures the user must prove their identity again before they can access the application.
- Session Revocation:
IAM manages user sessions on the server side using Session Management. If the Session Management feature is enabled for the identity domain, and the tenant administrator chooses to revoke a session through the Session Settings page, IAM revokes the specific user session associated with that session cookie.
- Force Re-authentication:
Cookie protection doesn't prevent insider threats as it relies on IP-based detection, which might not identify malicious actions from within the trusted network.
Administrator Notifications and Auditing
Administrator Notifications
When cookie protection enforces mitigation action for a user, IAM sends an email notification to the identity domain administrators (users with the Identity Domain Administrator role) to inform them about the incident. Administrators can choose to disable these notifications in the OCI Console.
Auditing
Administrators can track audit logs that provide details on cookie protection enforcement that has occurred for users in the specified domain.
The following audit logs are available:
sso.authentication.failuresso.session.delete.success
Enabling Cookie Protection
Follow these steps to enable cookie protection.
Disabling Cookie Protection
- On the Session settings page, find the settings you want to change. If you need help finding the session settings page, see Listing Session Settings.
- Disable the Enable Cookie Protection option.
- Select Save changes.