Rotate HTTP session identifiers (instance security hardening)

Use the glide.ui.rotate_sessions property to enable rotation of the HTTP session identifiers to reduce security vulnerabilities.

If an unauthenticated user's session ID doesn't change after authentication, a web application is vulnerable to a session fixation attack. A malicious user could start an unauthenticated session and give the associated session ID to the victim. Once the victim authenticates, the malicious user now shares that authenticated session.

More information


Attribute	Description
Property name	glide.ui.rotate_sessions
Configuration type	System Properties (/sys_properties_list.do)
Configure in Instance Security Center	Yes
Purpose	To achieve more secure session authentication.
Recommended value	true
Functional impact	(Medium) This remediation modified the SessionID when user navigates from unauthenticated page to authenticated pages. If you are using a proxy or hardcoding the SessionID when a user first logs in, or for any purpose, then there can be a potential functionality impact. If you are using the SAML 2.0 plugin for Single Sign-on authentication, it might interfere with the session information sharing between the instance and the Identity Provider. In such case, you can set this property to false.
Security risk	(Late) SessionID is used to process and authenticate the instance user by maintaining the session state on the browser. Thus, SessionID is deemed as sensitive data and should be secure by default. Session Rotation is a security control that enforces the alteration of sessionID whenever the user navigates from unauthenticated pages to authenticate pages.
References	Authentication with SAML

To learn more about adding or creating a system property, see Add a system property.

Rotate HTTP session identifiers (instance security hardening)

Use the glide.ui.rotate_sessions property to enable rotation of the HTTP session identifiers to reduce security vulnerabilities.

More information


Attribute	Description
Property name	glide.ui.rotate_sessions
Configuration type	System Properties (/sys_properties_list.do)
Configure in Instance Security Center	Yes
Purpose	To achieve more secure session authentication.
Recommended value	true
Functional impact	(Medium) This remediation modified the SessionID when user navigates from unauthenticated page to authenticated pages. If you are using a proxy or hardcoding the SessionID when a user first logs in, or for any purpose, then there can be a potential functionality impact. If you are using the SAML 2.0 plugin for Single Sign-on authentication, it might interfere with the session information sharing between the instance and the Identity Provider. In such case, you can set this property to false.
Security risk	(Late) SessionID is used to process and authenticate the instance user by maintaining the session state on the browser. Thus, SessionID is deemed as sensitive data and should be secure by default. Session Rotation is a security control that enforces the alteration of sessionID whenever the user navigates from unauthenticated pages to authenticate pages.
References	Authentication with SAML

To learn more about adding or creating a system property, see Add a system property.

How search works:

Topics are ranked in search results by how closely they match your search terms

Rotate HTTP session identifiers

Rotate HTTP session identifiers (instance security hardening)

More information

On this page

Rotate HTTP session identifiers

Rotate HTTP session identifiers (instance security hardening)

More information

Log in to personalize your search results and subscribe to topics