Show TOC

Parallel HTTP Requests and Session Fixation ProtectionLocate this document in the navigation structure

Use

When a client sends more than one HTTP requests in parallel within a short time period and some of them require authentication, this causes change of the session authentication state after the first of them is granted access to the requested resource. As a result, the rest of the parallel requests may not perform successful authentication and will be treated by AS Java as incorrect requests, that is, they will not be given access to the requested resource. A solution for this problem is provided as part of the session fixation mechanism in AS Java.

Session Fixation Protection

Valid user parallel requests are properly distinguished from session fixating attacks by a feature provided with the SecuritySessionIdGracePeriod property. This property allows a group of parallel requests that meet certain criteria (for example have equal authentication configuration) to be accepted by AS Java. The property default value is 2 seconds.

The SecuritySessionIdGracePeriod property is configurable as part of servlet_jsp service properties. For more information, see Session Security Protection.

When two parallel requests require different authentication processes, and the second one is not accepted, you get a 403 response with error message " Possible session fixation attack detected! Contact your system administrator with a reference to SAP Note 1417679!"

Here are some alternatives for the administrator or application provider to solve this issue:

  • Try to avoid designing applications that are sending parallel requests from one user/client (browser) that require authentication.

  • If the first option is not possible, configure the affected applications with one and the same authentication stack. Thus both parallel requests will trigger identical authentication processes.

  • If none of the above options can be applied, configure the authentication stack of the requested application so that the Session Fixation Protection parameter has value grace_period . The default value is strict . For more information, see: Editing the Authentication Policy of AS Java Components.

Note

Use this configuration with caution and only when the authentication mechanism is secure enough to prevent session fixation attacks.