Skip to content

Session Configuration

ZeroTrustKerberosLink implements secure session management to maintain user authentication state while adhering to security best practices.

Session Storage

ZeroTrustKerberosLink supports multiple session storage backends:

Redis Session Storage

Redis is the recommended session storage backend for production deployments:

session:
  store: "redis"
  redis:
    host: "localhost"
    port: 6379
    db: 0
    password_env: "REDIS_PASSWORD"
    tls:
      enabled: true
      cert_file: "/etc/zerotrustkerberos/certs/redis-cert.pem"
      key_file: "/etc/zerotrustkerberos/certs/redis-key.pem"
      ca_file: "/etc/zerotrustkerberos/certs/ca.pem"

In-Memory Session Storage

For development or testing, in-memory storage can be used:

session:
  store: "memory"
  memory:
    max_entries: 10000
    cleanup_interval: "5m"

Configure how session cookies are handled:

session:
  cookie:
    name: "zerotrustkerberos_session"
    secure: true
    http_only: true
    same_site: "strict"
    max_age: 28800  # 8 hours in seconds
    domain: "example.com"  # Optional
    path: "/"

Security Settings

Secure Flag

The secure flag ensures cookies are only sent over HTTPS connections, preventing exposure over insecure channels.

HttpOnly Flag

The http_only flag prevents JavaScript from accessing the cookie, mitigating XSS attacks.

SameSite Setting

The same_site setting controls how cookies are sent in cross-site requests, protecting against CSRF attacks.

Session Timeouts

Configure session timeout behavior:

session:
  idle_timeout: "30m"     # Session expires after 30 minutes of inactivity
  absolute_timeout: "8h"  # Session expires after 8 hours regardless of activity
  refresh_threshold: "15m" # Refresh session if less than 15 minutes remaining

Session Content

Configure what information is stored in the session:

session:
  content:
    include_user_info: true
    include_groups: true
    include_roles: true
    include_aws_account_info: true

Session Encryption

Configure encryption for session data:

session:
  encryption:
    enabled: true
    algorithm: "AES-256-GCM"
    key_env: "SESSION_ENCRYPTION_KEY"
    key_rotation:
      enabled: true
      interval: "168h"  # 7 days

Session Validation

Configure how sessions are validated:

session:
  validation:
    validate_ip: true
    validate_user_agent: true
    validate_fingerprint: true

High Availability Considerations

For high availability deployments:

session:
  store: "redis"
  redis:
    cluster:
      enabled: true
      nodes:
        - host: "redis-1.example.com"
          port: 6379
        - host: "redis-2.example.com"
          port: 6379
        - host: "redis-3.example.com"
          port: 6379
    sentinel:
      enabled: false

Security Considerations

When configuring sessions, follow these best practices:

Use Redis with TLS

Store sessions in Redis with TLS encryption enabled to protect session data in transit.

Enable Cookie Security Flags

Always enable the Secure, HttpOnly, and SameSite flags for session cookies.

Set Appropriate Timeouts

Configure session timeouts based on security requirements and user experience considerations.

Encrypt Session Data

Enable encryption for session data to protect sensitive information.

Implement Session Validation

Validate session integrity by checking IP address, user agent, or other contextual information.