16.1.4. Session tracking

The flow state machine keeps track of the state (possible next steps, tags, red flags, etc.) in a session.

A session is referenced by the REST client using either (depending on configuration):

  • An HTTP Cookie
  • An HTTP header token (e.g. the X-Access-Token header)

Session ID rotation

To prevent session fixation attacks (a.k.a preset session attacks), the ID of an existing session may be changed at any time by the IAM REST API. REST clients must be aware of this and support this.

The session ID rotation feature can be disabled by configuring an Advanced Flow Processor instead of the default processor in the corresponding flow.

There may be situations, where turning off session ID rotation may make sense (e.g. for transaction approval in internal fully trusted environments). Only disable it, if you know exactly what you do!