Session-Data Security
To maintain state information about staff members and customers, we use session data that is passed between the staff member’s or customer’s system and the web server.
When an individual is logged in, data from the session can provide the necessary authentication for accessing your data that would not otherwise be available. Session data security prevents attacks that stem from the trust the system has in authenticated users. Without session data security, attackers may be able to capture session data and reuse it. These are commonly referred to as “replay” attacks or “man-in-the-middle” attacks.
The SESSION_HARD_TIMEOUT configuration setting helps reduce session exploitation by forcing staff members to reauthenticate after a specified period of time. Set to twelve hours by default, this setting creates a new session while destroying the previous session each time the staff member reauthenticates. See How You Force Session Expiration.
The CP_FORCE_PASSWORDS_OVER_HTTPS configuration setting is enabled by default and helps protect staff members and customers from malicious activity such as password theft. This setting requires that all login operations, such as login name and password, be performed over HTTPS. Therefore, logged-in users interact entirely on HTTPS.
If your site is password protected, you should require customers to log in to the customer portal. Even if only your answer pages are password protected, the CP_CONTACT_LOGIN_REQUIRED configuration setting enforces secure logon to your pages and controls on the customer portal. The CP_CONTACT_LOGIN_REQUIRED setting also prevents unauthenticated chat sessions.
B2C Service offers different session management schemes for the administration interface and the customer portal. However, for both interfaces, we perform these actions:
- Encrypt session data stored in cookies.
- Set the Secure flag and the HTTP Only flag on cookies.
- Make session data difficult to use from a different computer system.
- Require staff members to reauthenticate after twelve hours. See the SESSION_HARD_TIMEOUT setting description in the first table.
- Require staff members to reauthenticate after a specified period of inactivity. See the CLIENT_SESSION_EXP setting description in the first table.
- Require all login operations to be performed over HTTPS. See the CP_FORCE_PASSWORDS_OVER_HTTPS setting description in the second table.
Configuration setting descriptions that affect your site’s session data are listed in these tables.
| Configuration Setting | Description | Default Value |
|---|---|---|
| RightNow User Interface/General/Security | ||
| CLIENT_SESSION_EXP | Requires staff members to reauthenticate after a specified period of
inactivity on the Service Console. Note: This setting is not used strictly for
security. It is also used in the desktop usage administration feature. See Desktop Usage Control. |
15 minutes |
| SESSION_HARD_TIMEOUT | Requires staff members to reauthenticate after a specified period of
time. This setting creates a new session each time the staff member reauthenticates. The previous session is destroyed. |
12 hours |
| Configuration Setting | Description | Default Value |
|---|---|---|
| RightNow User Interface/General/Security | ||
| CP_LOGIN_MAX_TIME | Defines the time (in minutes) a customer can be logged in without needing to
log in again. If a session goes past the defined setting, the customer is required to
log in again. The default is 0, which means that the time is set by CP_LOGIN_COOKIE_EXP. |
0 |
| RightNow User Interface/Customer Portal/Login | ||
| CP_CONTACT_LOGIN_ REQUIRED | Defines if the customer portal requires a customer to be logged in when
accessing most pages or controls. Also prevents unauthenticated chat sessions. Note: This setting does not apply to the login, password recovery, and
account creation pages, or pass-through authentication (PTA). PTA is described in
Configuring Pass-Through Authentication. |
No |
| CP_COOKIES_ENABLED | Defines if the customer portal tries to set cookies on a visitor’s browser. | Yes |
| CP_FORCE_PASSWORDS_ OVER_HTTPS | Requires all login operations to be performed over HTTPS. Pages that use passwords within standard widgets are automatically redirected to HTTPS. |
Yes |
| CP_LOGIN_COOKIE_EXP | The time (in minutes) before the customer portal login cookie expires. Set the value to -1 if you want the cookie to expire when the browser is closed. Set the value to 0 if you never want the cookie to expire. | 60 |
| CP_MAX_LOGINS | Defines the total number of concurrent users that can be logged in to your
support site at any given time. A value of 0 means there is no limit. If you set a value for this setting, you must also set a non-zero value for CP_LOGIN_MAX_TIME. |
0 |
| CP_MAX_LOGINS_PER_ CONTACT | Defines the total number of active, concurrent logins a single user can be
logged in with. A value of 0 means there is no limit. If you set a value for this setting, you must also set a non-zero value for CP_LOGIN_MAX_TIME. |
0 |