Session ID Customization

tCell supports Account Takeover, which is a major and common use case. Depending on the policy, tCell uses session IDs as one of the parameters to detect Account Takeover.

In most cases, the tCell agent will automatically detect the session ID used by the application with no customization. However, sometimes the application customizes its session ID handling, therefore, the standard cookie session is not appropriate. For such cases when using .NET Core agent, customers can write a custom lambda and pass it to the UseTcellSessionId middleware function defined as follows:

UseTcellSessionId usage
1
public IApplicationBuilder UseTcellSessionId(this IApplicationBuilder app, Func<HttpContext, string> action);

The return type (string) from the lambda will be the custom session ID. Also note the middleware is a .NET Core middleware component, and should be configured using the standard .NET Core Service Startup Configure method.

Example

While you can use any form of context manipulation, the following use case occurs when tCell removes a dynamic salt at the end of the session ID. In this example, a partial snippet of a Startup class with a custom lambda retrieves the session ID from cookie "abc" and strips off the beginning of the string before the hyphen "-".

Example Session Handling Snippet
1
using Microsoft.Extensions.Configuration;
2
using Tcell.Agent.AspNetCore;
3
...
4


5
public class Startup{
6


7
  ...
8
  
9
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
10
    {
11


12
        if(env.IsDevelopment())
13
        {
14
            app.UseDeveloperExceptionPage();
15
        }
16
    
17
        app.UseStaticFiles();
18
        
19
        // add logic to extract the Session ID
20
        app.UseTcellSessionId(context => GetTheCustomSessionId(context));
21
22
        app.UseMvc(routes =>
23
        {
24
            routes.MapRoute(
25
                name: "default",
26
                template: "{controller=Home}/{action=Index}/{id?}");
27
        });
28
    }
29


30
  
31
    private const string CustomSessionKey = "abc";
32
    private string GetTheCustomSessionId(HttpContext ctxt)
33
    {  
34
        _logger.LogInformation("getting session from context");
35
        var cookieValue = ctxt.Request.Cookies[CustomSessionKey];
36
            
37
        var prefix = cookieValue.Split("-").First();
38
        return prefix;
39
    }
40


41


42
}
43