require-auth-session-http-hdrs

Edit online

Use the require-auth-session-http-hdrs configuration entry to control whether a HTTP header must be used in an authentication operation before it can be used as a session key.

Syntax

require-auth-session-http-hdrs = {yes|no}

Description

Controls whether a HTTP header must be used in an authentication operation before it can be used as a session key. This helps to ensure that the HTTP header which is used as a session key is secure and reduces the risk of the header being spoofed.

Options

yes: The HTTP header must be used in an authentication operation before it will be accepted as a session key.
no: Any HTTP header can be used as a session key.
Note: If you set this configuration item to no it means that an unauthenticated value could be used as the index into the session. In this situation it is critical to ensure that the client is 'trusted' and is able to produce a secure session key, otherwise you open the environment up to session fixation attacks.

Usage

This stanza entry is optional.

Default value

yes

Example

require-auth-session-http-hdrs = yes