User Session Management: Difference between revisions
| (12 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| This page describes how user sessions are managed in QPR ProcessAnalyzer. | This page describes how user sessions are managed in QPR ProcessAnalyzer. | ||
| ==  | == User authentication and sessions == | ||
| All requests  | All requests to QPR ProcessAnalyzer are performed by a user account. Users needs to authenticate first to start a new session. Authentication can be performed by a password stored to QPR ProcessAnalyzer, or an external identity provider through [[SAML_2.0_Federated_Authentication|SAML 2.0 protocol]] can be used. As a result of the successful authentication, the user gets a session token, that is stored in the user's web browser. Once the user is authenticated, all subsequent requests authenticate using the session token, which is included into each request as HTTP request header. The session token in the request is then validated in QPR ProcessAnalyzer Server. If the session token is not valid, the request is rejected. | ||
| The session token is  | The session token is identified by GUID (global unique identifier). The length of the GUID (128 bits) guarantees uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID's are compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122). | ||
| For the session management to work in a secure way, the communication channel between the user and the server needs to be secure in terms in confidentiality and integrity. Thus the server needs to be configured to use the HTTPS protocol, with only secure ciphers allowed (more information in the [[QPR_ProcessAnalyzer_Security_Hardening|security hardening instructions]]). | For the session management to work in a secure way, the communication channel between the user and the server needs to be secure in terms in confidentiality and integrity. Thus the server needs to be configured to use the HTTPS protocol, with only secure ciphers allowed (more information in the [[QPR_ProcessAnalyzer_Security_Hardening|security hardening instructions]]). | ||
| User accounts are stored to the QPR ProcessAnalyzer database and their passwords are stored as one-way hash values calculated with the SHA-256 algorithm. Salt is used in the hashing for protection against the use of rainbow tables. | User accounts are stored to the QPR ProcessAnalyzer database and their passwords are stored as one-way hash values calculated with the SHA-256 algorithm. Salt is used in the hashing for protection against the use of rainbow tables. | ||
| [[QPR_ProcessAnalyzer_Logs#Server_Log|Server log]] keep track of all the usernames that try to authenticate to QPR ProcessAnalyzer. Also, client IP address is logged. | [[QPR_ProcessAnalyzer_Logs#Server_Log|Server log]] keep track of all the usernames that try to authenticate to QPR ProcessAnalyzer. Also, client IP address is logged. | ||
| == Log off and session expiration == | == Log off and session expiration == | ||
| When user logs offs a session, its session token is marked as invalid in the sessions table in QPR ProcessAnalyzer database, and thus the session cannot be used anymore. There are  | When user logs offs a session, its session token is immediately marked as invalid in the sessions table in QPR ProcessAnalyzer database, and thus the session cannot be used anymore. There are following settings related to session management ([[PA_Configuration_database_table|more information]]): | ||
| * '''Session idle timeout''': If the user session has not been used (i.e. there are no requests sent to the server), the session is invalidated after this duration. The purpose is to get the session invalidated soon, e.g. if user has  | * '''Session idle timeout''': If the user session has not been used (i.e. there are no requests sent to the server), the session is invalidated after this duration. The purpose is to get the session invalidated soon, e.g. if user has not log out the session after usage. By default this time is one hour. | ||
| * '''Session maximum duration''': Duration starting from the login after which the session is invalidated anyways (even though it is used continuously). The purpose is to get the session invalidated e.g. in cases where some automated script maintains the user session for ever. The best practice for these kind of scripts is to logout the session after the communication has been completed. The session maximum duration is by default 24 hours. | * '''Session maximum duration''': Duration starting from the login after which the session is invalidated anyways (even though it is used continuously). The purpose is to get the session invalidated e.g. in cases where some automated script maintains the user session for ever. The best practice for these kind of scripts is to logout the session after the communication has been completed. The session maximum duration is by default 24 hours. | ||
| When there is a script running, the related user session is kept alive for the duration of the script run. The session maximum duration is still applied, so it's not possible to run scripts longer than the defined session maximum duration. | |||
| == Preventing password guessing attacks == | == Preventing password guessing attacks == | ||
| QPR ProcessAnalyzer has a mechanism to prevent brute-force password guessing attacks. Each failed login attempt is recorded, and if there has been total of five (5) failed login attempts to a specific account, that account is locked for five (5) minutes. After the lockout period, the account is again available for logins. In  | QPR ProcessAnalyzer has a mechanism to prevent brute-force password guessing attacks. Each failed login attempt is recorded, and if there has been total of five (5) failed login attempts to a specific account, that account is locked for five (5) minutes. During the lockout period, all login attempts are rejected. After the lockout period, the account is again available for logins. In a longer time period, this mechanism only allows on average maximum of one password guess attempt per minute. If using strong passwords (at least 8 characters long), the probability of a successful guess in an attack that lasts for examples weeks, is extremely low. Note that the lockout is account specific, so it's possible to perform the attack for each user account separately. | ||
| The failed login attempts are logged ([[QPR_ProcessAnalyzer_Logs#Server_Log|more information  | The failed login attempts are logged ([[QPR_ProcessAnalyzer_Logs#Server_Log|more information]]), and it's recommended for the system administrator to monitor the logs regularly (i.e., perform SIEM, Security Information and Event Management), to detect possible password guessing attacks that are in progress. In case there is an attack, it's recommended to ask users to change their passwords and make sure that strong passwords are used. In addition, if the attack comes from specific IP addresses, it may be possible to block those IP addresses, to prevent the attack from continuing. In addition, for maximum security it's recommended to use external identity provider through the SAML 2.0 protocol, because in that case authentication using the QPR ProcessAnalyzer password is not possible and thus the password guessing attacks are not possible either. | ||
Latest revision as of 13:23, 19 October 2023
This page describes how user sessions are managed in QPR ProcessAnalyzer.
User authentication and sessions
All requests to QPR ProcessAnalyzer are performed by a user account. Users needs to authenticate first to start a new session. Authentication can be performed by a password stored to QPR ProcessAnalyzer, or an external identity provider through SAML 2.0 protocol can be used. As a result of the successful authentication, the user gets a session token, that is stored in the user's web browser. Once the user is authenticated, all subsequent requests authenticate using the session token, which is included into each request as HTTP request header. The session token in the request is then validated in QPR ProcessAnalyzer Server. If the session token is not valid, the request is rejected.
The session token is identified by GUID (global unique identifier). The length of the GUID (128 bits) guarantees uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID's are compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122).
For the session management to work in a secure way, the communication channel between the user and the server needs to be secure in terms in confidentiality and integrity. Thus the server needs to be configured to use the HTTPS protocol, with only secure ciphers allowed (more information in the security hardening instructions).
User accounts are stored to the QPR ProcessAnalyzer database and their passwords are stored as one-way hash values calculated with the SHA-256 algorithm. Salt is used in the hashing for protection against the use of rainbow tables.
Server log keep track of all the usernames that try to authenticate to QPR ProcessAnalyzer. Also, client IP address is logged.
Log off and session expiration
When user logs offs a session, its session token is immediately marked as invalid in the sessions table in QPR ProcessAnalyzer database, and thus the session cannot be used anymore. There are following settings related to session management (more information):
- Session idle timeout: If the user session has not been used (i.e. there are no requests sent to the server), the session is invalidated after this duration. The purpose is to get the session invalidated soon, e.g. if user has not log out the session after usage. By default this time is one hour.
- Session maximum duration: Duration starting from the login after which the session is invalidated anyways (even though it is used continuously). The purpose is to get the session invalidated e.g. in cases where some automated script maintains the user session for ever. The best practice for these kind of scripts is to logout the session after the communication has been completed. The session maximum duration is by default 24 hours.
When there is a script running, the related user session is kept alive for the duration of the script run. The session maximum duration is still applied, so it's not possible to run scripts longer than the defined session maximum duration.
Preventing password guessing attacks
QPR ProcessAnalyzer has a mechanism to prevent brute-force password guessing attacks. Each failed login attempt is recorded, and if there has been total of five (5) failed login attempts to a specific account, that account is locked for five (5) minutes. During the lockout period, all login attempts are rejected. After the lockout period, the account is again available for logins. In a longer time period, this mechanism only allows on average maximum of one password guess attempt per minute. If using strong passwords (at least 8 characters long), the probability of a successful guess in an attack that lasts for examples weeks, is extremely low. Note that the lockout is account specific, so it's possible to perform the attack for each user account separately.
The failed login attempts are logged (more information), and it's recommended for the system administrator to monitor the logs regularly (i.e., perform SIEM, Security Information and Event Management), to detect possible password guessing attacks that are in progress. In case there is an attack, it's recommended to ask users to change their passwords and make sure that strong passwords are used. In addition, if the attack comes from specific IP addresses, it may be possible to block those IP addresses, to prevent the attack from continuing. In addition, for maximum security it's recommended to use external identity provider through the SAML 2.0 protocol, because in that case authentication using the QPR ProcessAnalyzer password is not possible and thus the password guessing attacks are not possible either.