More Security with StateWall
Here is a small list of options that are possible using the concepts described in this article:
- Login brute-forcing defense. Application-level brute-forcing, one of the common attack vectors, is possible to guard against using a session-based approach. StateWall can be defined in a way that it can track the number of attempts made by each session and block future requests originating from that IP address or session if the threshold limit is crossed.
- Session-based logging. HTTP request logging doesn't have any session-related information with it. However, with IHttpModule, you can build a logging mechanism to log HTTP requests based on sessions. So, for example, you can build a rule by which all requests originating from user "john" will be logged.
- Dynamic tokens. It is possible to implement dynamic session tokens using IHttpModule. Doing so can provide a defense against session hijacking. At the application firewall, these tokens are checked prior to the serving of the response.
This is just a short list, but an important one nonetheless. A read/write access to session variables offers immense power to implement session-based protection at the firewall.