Validation of the client identifier for a session
You can configure IBM® Security Verify Access to validate the client identifier to ensure that different clients do not attempt to use the session.
A client identifier can be the client's IP address or the contents of a configured HTTP header. The client identifier is associated with the session when the session is first established. WebSEAL then checks the client identifier on subsequent requests to ensure that a different client is not attempting to access the session.
If the client is able to connect directly to the WebSEAL server, the IP address of the client can be used to identify the client. However, if the WebSEAL traffic is routed through a network terminating firewall, the contents of an HTTP header (for example, the X-Forwarded-For header) can be used to identify the client.
You can configure the client identifier to be validated for a session with the client-identifier stanza entry. This identifier is added to the credential as the client_identifier attribute and is validated on subsequent requests to ensure that the client does not change. See client-identifier for more information.