Algorithm to generate and validate session cookie for the RP

[shawnhankim]

As a Product Manager,

I want to enhance session cookie algorithm to mitigate security issues for the following case.

The current RP implementation is using $request_id generated by the NGINX for the session cookie. This wouldn’t validate to which client the session is created after successful token exchange with the IdP. So possibly anyone who holds the session cookie could access backend from any client (Browsers or Command-line).

AC:

1. While generating the session, instead of using the $request_id of NGINX, generate $session_id using the client’s agent (browser name or command-line) + client-id + client ip and hash it using SHA 256 algorithm.
2. Optional : Add time stamp (hh:mm) to the hashed session_id.
3. Upon the session cookie is presented by the client every time, validate it with k/v store for the match to retrieve the token(s) and also in parallel, process the step 1 once again to see supplied session by the client same as newly generated session; If no match; invalidate the existing session and invoke the new RP flow to get user authenticated.
4. This feature would be available by default and customer can choose NOT to process Step 3 using configuration.

Assumption:

• Users who receives the session_id on their client’s user agent can't be using the session by manually copying it in to another client’s user agent.