Application is vulnerable to session hijacking attack

Document ID : KB000094891
Last Modified Date : 07/05/2018
Show Technical Document Details
Introduction:
session misconfiguration in the application may provide a means for an attacker to bypass the authentication and gain unauthorized access to sensitive information perhaps with elevated privileges.
Environment:
Api Portal 3.5
Instructions:
TLS/SSL prevents this completely provided that the Apache has optimal configuration:
1. Navigate to etc/httpd/conf.d/ssl.conf and have below in place
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"