Tracking users
The user tracking feature allows you to track sessions by user and capture a username for reference in traffic and attack log messages.
When FortiWeb detects users that match the criteria you specify in a user tracking policy, it stores the session ID and username.
FortiWeb uses the following three modules to track users (descending order of priority):
- User Tracking policy. See To create a user tracking policy.
- Site Publish rule. See To configure offloaded authentication with optional SSO.
- Certificate Verification. See Certificate Verification and To configure client PKI authentication .
If a User Tracking policy is configured, FortiWeb will use the policy to track users. If the User Tracking policy is unable to track a user, FortiWeb will use a Site Publish rule, if any, to track a user. If the Site Publish rule is unable to track a user, FortiWeb will use a client certificate to track a user.
Determining which users to track
FortiWeb tracks only users who have logged in successfully. It uses one of the following methods to determine whether a log in is successful:
- The response matches a condition you specify in the user tracking rule, such as a return code or a string in the response body. You create these conditions in the rule's Authentication Result Condition Table.
- If the response does not match a condition in the table, FortiWeb uses the default result that you select for the rule.
FortiWeb stops tracking users when either of the following two events occur:
- The client request contains the log off URL that you specify in the user tracking rule. (The log off URL setting is optional.)
- The session is idle for longer than the session timeout value you specify in the rule.
Taking action against timed-out sessions
When you enable Session Timeout Enforcement in a user tracking rule, you can also configure a Session Freeze Time. After a session has been idle for longer than the timeout value, if a request has the session ID of the timed-out session, FortiWeb takes the action you specify in the rule. FortiWeb continues to take this action against requests with the session ID for the length of time specified by Session Freeze Time.
User tracking and advanced protection custom rules
You can also use the user tracking feature to create a filter in a custom rule that matches specific users. This type of custom rule requires you to create a user tracking policy and apply it to the protection profile that uses the custom rule. For details, see Combination access control & rate limiting.
You can apply a user tracking policy using either an inline or Offline Protection profile. However, in Offline Protection mode, Session Fixation Protection, Session Timeout Enforcement, and the deny, redirect and period block actions are not supported. |
To create a user tracking policy
- Go to Tracking > User Tracking, and select the User Tracking Rule tab.
- Click Create New, and then complete the following settings:
-
Alert—Accept the request and generate an alert email and/or log message.
-
Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).
Note: Because the deny action is not supported in Offline Protection mode, this option has the same effect as Alert. -
Deny (no log)—Block the request (or reset the connection).
-
Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason.
Caution: This option is not supported in Offline Protection mode -
Period Block—Block subsequent requests from the client for a specified number of seconds.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).
Caution: This option is not supported in Offline Protection mode -
Session Timeout Enforcement message:
Session Timeout Enforcement: triggered by user <username>.
-
Credential Stuffing Defense Violation message:
Triggered by user <username>: Credential Stuffing Defense Violation.
- Informative
- Low
- Medium
- High
- Click OK.
- To add an entry to the Authentication Result Condition Table, click Create New, and then complete the following settings:
- Click OK, and then add any additional table entries that are required.
- Create any additional rules that are required.
- To add the rules to a policy, go to Tracking > User Tracking, select the User Tracking Policy tab, click Create New, enter a name for the policy, and then click OK.
- Click Create New, select the user tracking rule to add, and then click OK.
- Add any additional rules that are required, and then click OK.
- To apply the user tracking rule, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
Name | Enter a name that identifies the rule. |
Authentication URL | Enter the URL to match in authorization requests. Ensure that the value begins with a forward slash ( / ). |
Username Field | Enter the username field value to match in authorization requests. |
Password Field | Enter the password field value to match in authorization requests. |
Session ID Name | Type the name of the session ID that is used to identify each session. Examples of session ID names are sid , PHPSESSID , and JSESSIONID . |
Default Authentication Result | Enter the authentication result that FortiWeb associates with requests that match the criteria but do not match an entry in the Authentication Result Condition Table. When the login result is successful, FortiWeb tracks the session using the session ID and username values. |
Log Off Path | Optionally, enter the URL of the request that a client sends to log out of the application. When the client sends this URL, FortiWeb stops tracking the user session. Ensure that the value begins with a forward slash ( / ). |
Session Timeout | Enter the length of time in minutes that FortiWeb waits before it stops tracking an inactive user session. Valid values are from 1 to 14400. |
Session Fixation Protection | Enable to configure FortiWeb to erase session IDs from the cookie and argument fields of a matching login request. FortiWeb erases the IDs for non-authenticated sessions only. For web applications that do not renew the session cookie when a user logs in, it is possible for an attacker to trick a user into authenticating with a session ID that the attacker acquired earlier. This feature prevents the attacker from accessing the web app in an authenticated session. When this feature removes session IDs, FortiWeb does not generate a log message because it is very common for a legitimate user to access a web application using an existing cookie. For example, a client who leaves his or her web browser open between sessions presents the cookie from an earlier session. Caution: This option is not supported in Offline Protection mode. |
Session Timeout Enforcement | Enable to configure FortiWeb to remove the session ID for user sessions that are idle for longer than the session timeout threshold. When a session is reset, the client has to log in again to access the back-end server. If a session exceeds the timeout threshold, instead of tracking subsequent matching sessions by user, FortiWeb takes the specified action, for a length of time specified by Session Freeze Time. Caution: This option is not supported in Offline Protection mode. |
Credential Stuffing Defense |
Enable to use FortiGuard's Credential Stuffing Defense database to prevent against Credential Stuffing attacks. When this setting is enabled, FortiWeb will evaluate the username (Username Field) and password (Password Field) of the matched login requests against the Credential Stuffing Defense database to identify whether the paired username/password has been spilled. If it has, the specified Action triggers and the Trigger Policy is applied. Caution: FortiWeb has no built-in Credential Stuffing Defense database. At least one FortiGuard update is required to install the database, otherwise this feature is ineffective. For details, see Connecting to FortiGuard services. |
Session Freeze Time |
Enter the length of time after a session exceeds the timeout threshold that FortiWeb takes the specified action against requests with the ID of the timed-out session. After the freeze time has elapsed, FortiWeb removes the session ID for idle sessions but no longer takes the specified action. |
Action |
Select the action that FortiWeb takes against requests with the ID of a timed-out session during the specified time period or if the paired username/password is found in Credential Stuffing Defense database: When the action generates a log message, the message field values will be: Available only when Session Timeout Enforcement and/or Credential Stuffing Defense is On. |
Block Period |
Type the number of seconds that you want to block requests with the ID of a timed-out session. This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 (1 hour). The default value is 60. See also Monitoring currently blocked IPs. |
Severity |
When the session timeout settings or credential stuffing defense generates an attack log, each log message contains a Severity Level ( The default value is Low. |
Trigger Policy | Select which trigger, if any, that FortiWeb uses when it logs or sends an alert email about the session timeout or credential stuffing hit. See Configuring triggers. Available only when Session Timeout Enforcement and/or Credential Stuffing Defense is On. |
When both Session Timeout Enforcement and Credential Stuffing Defense are enabled, violations of any of the two security events will trigger the same actions (they use a common set of configurations: Action, Block Period, Severity and Trigger Policy).
Authentication Result Type | Specify the status FortiWeb assigns to user logins that match this table item: Failed or Successful. FortiWeb tracks sessions by user only when the status is Successful. If the request does not match any rules in this table, FortiWeb uses the value specified by Default Authentication Result. |
HTTP Match Target | Select the location of the value to match with the string or regular expression specified in this table item: Return Code, Response Body, Redirect URL. |
Value Type | Indicate whether Value is a Simple String or a Regular Expression. |
Value | Enter the value to match. |