JSON Configuration for Sessions
...
- io.ceptor.session.SessionResolverBearerToken
Allows use of an OAuth2 bearer token in the HTTP request header Authorization. - io.ceptor.session.SessionResolverApiKey
Allows using an API Key contained in an HTTP header, e.g. ceptor-apikey instead of using a session ID to identify the session. - io.ceptor.session.SessionResolverCookie
Supports use of a session cookie cookie. - io.ceptor.session.SessionResolverDomainRedirect
Supports using Domain Redirect URLs (URLs ending with ".domainRedirect") which allows sharing sessions between two or more domains, e.g. www.mydomain1.com and www.myotherdomain.com - io.ceptor.session.SessionResolverSSLClientCert
Allows using an SSL client certificate as a "ticket", with no other session ID - if no session currently exists for the incoming client certificate, one will be created and the user will be authenticated assuming the authentication plugin allows access. - io.ceptor.session.SessionResolverSSLClientCertAPIManagement
Allows using an SSL client certificate to authenticate - instead of using the regular Ceptor SSL Client certificate authentication plugin the API Management specific plugin is used, which lookup's certificates in API Partner Application definitions. - io.ceptor.session.SessionResolverScript
Allows implementing a session resolver using Javascript - makes it easy to add custom functionality to the gateway.
...
Default: none
JSON key: resolvers
Defense
...
Against Session Fixation Attack
Session fixation is a form of attack where an attacker uses a public computer, captures the session ID, and then leaves the computer for another to authenticate at - when the user authenticates later, if the session id is not changed then the attacker has that session ID available, and he can then take over the authenticated users session.
...
In case a SessionResolverApiKey is added, this setting is used:
HTTP Header name for API key
Can be used to specify the name of the HTTP header to read the API key from.
...