Choosing the best session handling mode
Generally, Airlock Gateway can be flexibly configured to meet the functional and security requirements in the Section – Application. Regarding session handling, you have to choose between different session handling modes of your web application/backend.
Since session handling is an important basic setting, our best practice recommendation is to choose Enforce session mode letting Airlock Gateway ensure that sessions are available in all cases. This requires slightly more resources*.
- Points related to the enforce session mode:
- With all requests/responses collected in sessions, a detailed (session-based) analysis is possible in the first place.
- CSRF protection requires a session.
- Airlock Anomaly Shield can only be trained on session-based mappings. However, trained Anomaly Shield applications can also be used on sessionless mappings, but on session-based mappings, the anomaly detection rate is normally better.
- Upstream authentication and authorization usually require session handling and Airlock Gateway can add central session control.
- Threat handling is improved, i.e., terminating a session is only effective on authenticated sessions.
- Client fingerprinting only works session-based.
- ...
All other modes listed in the table below offer less functionality in terms of security features and session-related features offered by Airlock Gateway and therefore should only be used when Enforce session mode cannot be applied. See also Section – Application when changing mode.
* | The actual RAM usage depends on the number of concurrent sessions and their size. An average session size assumption of 30KB should fit most real-world use cases as the size varies (max. 72KB). |
Mode | Description |
---|---|
Enforce session | Requests are aggregated into sessions.
This is the recommended mode. |
Use available session | Sessions are optional.
|
Use available session (no refresh) | Sessions are optional.
|
Sessionless | Session handling is disabled.
This mode may improve resource usage for the delivery of anonymous stateless content, such as image directories or static web repositories on the cost of traffic traceability and other disadvantages. |