Use the Session Validation Context as an additional layer of protection against session or cookie hijacking.

You can use the Session Validation Context with the Adaptive authentication policy framework. The framework uses authentication policies to evaluate authentication requests and then either denies or allows access based on policy inputs and conditions.

The Session Validation Context policy can be used in conjunction with post auth policy, where an admin can enforce IP restrictions to certain or all users during the logged in session.

The Session Validation Context feature evaluates the IP-addresses based on the conditions you set and allows access to the instance within a session. The Session Validation Context outcomes are as follows:

  • Deny Policy: Selecting Deny access policy as the default policy allows users to continue the session by default. The session is terminated only when one of the policy conditions defined in the deny access policy evaluates to true.
  • Allow Policy: Selecting Allow access policy as the default policy terminates the user session immediately unless one of the policy conditions defined in the allow access policy evaluates to true.
Note:
  • The Session Validation Context for an authentication policy is set to Allow Policy by default.
  • The Session Validation Context is implemented through the Allow policy. Setting the context to deny policy is not recommended.

The Session Validation Context works based on the following mechanism:

  • Captures the user's IP address on session creation from user request and stores it in the session and database.
  • Rejects a request when its IP address differs from that in the session or outside of the customer defined valid IP ranges you defined.
Note: The Session Validation Context is:
  • Available only for authenticated users.
  • Not applicable for guest user sessions or native mobile apps.
  • Optional and based on the requirement that it can be configured.
  • Executed only for the post-login requests.

Benefits of Session Validation

The Session Validation Context has the following benefits:

  • Restricts access to ServiceNow® when hijackers copy a user's session cookies from one device to another to impersonate the session.
  • Restricts the user's session access if they're using an insecure network.
  • Configures the various rules and IP ranges by user group or role for user logins.

Session Validation context record

Policies in the session validation context execute post-login requests.

Use the fields in the session validation policy context record to define how your instance uses your policy.

Table 1. Session Validation context form
FieldDescription
Name Name of the policy context. This field is static and can’t be changed.
Description Description of the context.
Default Policy Defines the default behavior of this context when evaluating the policy. Select from the following options.
Allow Policy
Denies access to all users by default, and only allows access when the conditions in the Allow Policy field evaluate to true.
Deny Policy
Allows access to all users by default, and only denies access when the conditions in the Deny Policy field evaluate to true.
Allow Policy The policy used for this context. This field appears only when the Default Policy field is set to Allow Policy.
Deny Policy The policy used for this context. This field appears only when the Default Policy field is set to Deny Policy.

You can choose the Session Validation Policy as Allow Policy or Deny Policy based on the policy input and policy conditions.

Note:

You can only use the IP, Role, and Group filter criteria for Session Validation policy.

Policy inputs and conditions

The Policy Input and Policy Conditions tabs display the inputs and conditions of the policy selected in the Allow Policy or Deny Policy field. These tabs serve as a reference; but they can’t be used to change the policy inputs or conditions. To modify your policy, navigate to the policy using the reference icon (Reference icon) next to the Allow Policy or Deny Policy field.