Zoom Webmin and Preview Server Cookie and Session Management

Leave a Comment / By /

In this article, we learn how to configure various cookie and session management properties on the Zoom Webmin and Preview Server.
By learning about cookie and session properties, one can fine tune the settings according their environment and make them more secure.

Preview Server

Evolphin Preview Server hosts and provides various functionalities like Webclient, Preview generation, Streaming of Videos, APIs etc…
To use any of the Preview server features, one has to establish an authenticated session and obtain a authenticated cookie.
Admins need carefully tune the cookies and session timeouts to serve the best user experience.

In this section, we will explore and learn

  • How to configure cookie and session timeouts of various services on the Preview server.
  • How to secure cookies sent by Preview server.

Note: Web applications settings for Webclient, WebVAB and APIs are similar but present in the different sections in the preview-server.xml file, so each application can be configured independently.

Various web applications on Preview Server

  1. Webclient:
    1. Context Path: /webclient
    2. XML root tag: <webclientAppSpec>
  2. Web Asset Browser:
    1. Context Path: /vab
    2. XML root tag: <webVabAppSpec>
  3. Streaming APIs:
    1. Context Path: /review
    2. XML root tag: <reviewWebAppSpec>

Understanding XML tags

  1. webpath: Tag denotes the path on which specific application will run. For example: Webclient runs on path /webclient on preview server.
    WARNING: Changing this value is not recommended and might result in unexpected application misbehavior.
  2. cookieName: Name of cookie/session to set in browser. This value is used to set the cookie/session name in browser for specific context. If this value is omitted, then default value is JSESSIONID.
    WARNING: Changing this value is not recommended and might result in unexpected application misbehavior.
  3. sessionAge: This value controls the max age of the cookie(in seconds) in the browser.
    NOTE: Older version of Preview server has this value default set to -1(Never expire). We recommend admins to inspect this value and change to some fixed number of seconds, for example may be 7days. This property causes browser to discard the stored cookie after this fixed amount of time. Do not set this value to too low otherwise user’s will be logged out even before the idle session timeout.
    NOTE: Zoom version 8.x or higher default equivalent value of this property is changing to 7 days, even if the XML has the value -1, the effective value would be equivalent to 7 days.
  4. secureCookie: Once this value is set, server will instruct the browser to use the cookie only on secure domain. This means, cookie must be served and used on HTTPS/Secure connection. If the flag is true and web app is loaded in the browser from non secure connection, browser won’t store the cookies and discard it. Session can only be created on secure connection.
    NOTE: It is recommended to use HTTPS and set this property to true.
  5. httpOnly: This flag instruct browser to disallow the reading of cookie from JavaScript or some other means. That means, only browser itself can read/write the cookie. This prevents malicious code from hijacking the cookie, as cookie can’t be read or written from any code. It is recommended to set this to true.
    NOTE: It is recommended to set this property to true.
  6. sessionDomain: Sometimes this called as cookieDomain. By default this value is null and you may not see this tag in the XML. Setting with value will restrict the cookie domain. It will instruct the browser to only use the cookie on matching domains and send the cookie back to matching session domain or subdomain.
  7. maxSessionInactiveInterval: This value controls the idle session timeout(in seconds) on the Preview server. Server will remove the unused sessions if they are left idle and not in use.
    Just settings this value higher won’t results the users to stay logged in longer, as other factors like concurrent session timeout, Zoom cookie timeout also plays the role in user session timeout. Webclient users will get logged out if Concurrent session timeout is less than this property. So, please make sure you set this value according to the value present on the Zoom server. For more details read this Zoom License article.
    NOTE: Older version of Preview server has this value default set to -1(Never expire). We strongly recommend admins to inspect this value and change to some fixed number of seconds. For example: You can set this to 1800 for 30mins of idle interval.
    NOTE: Zoom version 8.x and onward default equivalent value of this property is changing to 30mins, even if the XML has the value -1, the effective value would be equivalent to 30mins.
  8. customCookieAttribute: One can use this value to set custom attribute on the cookies. This has been added to support the addition of other cookie attributes like: SameSite attribute of the cookie.
    NOTE: This property is only available in 8.X or higher version.
    To set set the SameSite attribute, use it like this: <customCookieAttribute>SameSite=Strict</customCookieAttribute>
    1. SameSite=Strict => Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
    2. SameSite=Lax => Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.
    3. SameSite=None => Cookies will be sent in all contexts, i.e sending cross-origin is allowed. Note: None requires the Secure attribute to be true. If you are setting none, please secureCookie to true.

Recommendations

  1. Validate your preview-server.xml and make sure following attributes are updated well:
    1. sessionAge – Should not be -1, set this value to some fixed number of seconds, like equivalent to 7 days.
    2. maxSessionInactiveInterval – Should not be -1, set this value to fixed number of seconds, like 1800 seconds for 30mins.
    3. secureCookie – Must be true, if you are using HTTPS.
    4. httpOnly – Must be true to make the cookies more secure.
  2. If you are on Version 8.X or higher:
    1. Understand what is SameSite attribute on the cookie.
    2. Set the SameSite attribute only after understanding what it does.
    3. Test the application working after setting the SameSite attribute.
    4. Make sure to test the API integration after changing the SameSite attribute.

Example of preview-server.xml

<previewserverspec>
  <reviewWebAppSpec>
    <webpath>/review</webpath>
    <cookieName>REVIEW_SESSION_COOKIE</cookieName>
    <sessionAge>604800</sessionAge>
    <sessionPath>/review</sessionPath>
    <secureCookie>true</secureCookie>
    <httpOnly>true</httpOnly>
    <maxSessionInactiveInterval>3600</maxSessionInactiveInterval>
    <sessionTrackingMode>COOKIE</sessionTrackingMode>
    <customCookieAttribute>SameSite=Strict</customCookieAttribute>
  </reviewWebAppSpec>
  <webVabAppSpec>
    <webpath>/vab</webpath>
    <cookieName>WEBVAB_SESSION_COOKIE</cookieName>
    <sessionAge>604800</sessionAge>
    <sessionPath>/vab</sessionPath>
    <secureCookie>true</secureCookie>
    <httpOnly>true</httpOnly>
    <maxSessionInactiveInterval>3600</maxSessionInactiveInterval>
    <sessionTrackingMode>COOKIE</sessionTrackingMode>
  </webVabAppSpec>
  <webclientAppSpec>
    <webpath>/webclient</webpath>
    <cookieName>WEBCLIENT_SESSION_COOKIE</cookieName>
    <sessionAge>604800</sessionAge>
    <sessionPath>/webclient</sessionPath>
    <secureCookie>true</secureCookie>
    <httpOnly>true</httpOnly>
    <maxSessionInactiveInterval>3600</maxSessionInactiveInterval>
    <sessionTrackingMode>COOKIE</sessionTrackingMode>   
    <customCookieAttribute>SameSite=Strict</customCookieAttribute>
  </webclientAppSpec>
.....
.....
</previewserverspec>

Zoom Webmin

It is possible to configure the similar cookie and session properties on the Zoom webmin. To do this, one has to edit the server.xml file by hand.
Note: Supported in v8.0 or higher

Example of webmin app spec from server.xml

<serverspec>
  ...
  ...
  <webserverspec>
   ...
   ...
    <webminWebAppSpec>      
      <httpOnly>true</httpOnly>
      <secureCookie>true</secureCookie>
      <customCookieAttributes>SameSite=None</customCookieAttributes>      
      <maxSessionInactiveInterval>1800</maxSessionInactiveInterval>
    </webminWebAppSpec>
  </webserverspec>
...
...
</serverspec>

As, you can see above, you can add/edit the section:
<serverspec> => <webserverspec> => <webminAppSpec>

Properties you are allowed to edit

  • httpOnly Default is true
  • secureCookie Default is true.
  • customCookieAttributes Default is whatever set by browser.
  • maxSessionInactiveInterval Default is 30mins

References

Leave a Comment