This is the documentation for SuperSTAR 9.8

SuperSTAR 9.9 is now available.
View this page in the SuperSTAR 9.9 documentation or visit the SuperSTAR 9.9 documentation home.

Skip to end of metadata
Go to start of metadata

To provide an enhanced level of security for SuperWEB2, you can enable the following two configuration parameters in <tomcat_home>\webapps\webapi\WEB-INF\web.xml. These parameters are commented out by default:

<!-- Session UserAgent Filter -->
<!-- 
<filter>
  <filter-name>SessionUserAgentFilter</filter-name>
  <filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionUAFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionUserAgentFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>
-->
    
<!-- Session IP Filter -->
<!-- 
<filter>
  <filter-name>SessionIPFilter</filter-name>
  <filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionIPFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionIPFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>
-->

Remove the comments to activate user agent and IP address filtering:

<!-- Session UserAgent Filter -->
<filter>
  <filter-name>SessionUserAgentFilter</filter-name>
  <filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionUAFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionUserAgentFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>
    
<!-- Session IP Filter -->
<filter>
  <filter-name>SessionIPFilter</filter-name>
  <filter-class>au.com.str.webapi.webcontent.common.servlet.http.filter.SessionIPFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SessionIPFilter</filter-name>
  <url-pattern>*</url-pattern>
</filter-mapping>

When these parameters are enabled, SuperWEB2 will validate the user's IP address and browser. If those details change during the session then the user will be logged out automatically.

This reduces the risk of a user's session token being captured and used to hijack their session.

  • No labels