In Magento Open Source default installation, you can validate session variables to avoid session fixation attacks, or attempts to infect or sniff user sessions. The Session Validation Settings decide how to validate session variables during each store visit, and if the session ID is added to the URL of your online store.
The validation checks to see that visitors are who they say they are by comparing the value in the validation variables with the session data that is saved in $_SESSION data for the user. If the information is not transferred as expected, and the corresponding variable is null, that means validation fails. Depending on the session validation settings, if a session variable fails the validation step, the client session immediately terminates.
Enabling all of the validation variables can help prevent attacks, but might also decrease the performance of the server. In the default installation, all session variable validation is disabled. We recommend that you test with the settings to find the best combination for your Magento installation. Activating all of the validation variables might prove to be unduly restrictive, and prevent access to customers who have Internet connections that pass through a proxy server, or that originate from behind a firewall. To learn more about session variables and their use, see the system administration documentation for your Linux system.
To configure the Session Validation Settings:
On the Admin sidebar, tap Stores > Under Settings, click Configuration > On the left of the panel under General, click Web. > Open the Session Validation Settings tab. Then, follow these steps:
- Set Validate REMOTE_ADDR to “Yes” to verify that the IP address of a request matches what is stored in the $_SESSION variable.
- Set Validate HTTP_VIA to “Yes” to verify that the proxy address of an incoming request matches what is saved in the $_SESSION variable.
- Set Validate HTTP_X_FORWARDED_FOR to “Yes” to verify that the forwarded-for address of a request matches what is saved in the $_SESSION variable.
- Set Validate HTTP_USER_AGENT to “Yes” to verify that the browser or device that is used to access the store during a session matches what is saved in the $_SESSION variable.
- Set Use SID on Frontend to “Yes” if you want a user to stay logged in while switching between stores, set Use SID on Frontend to “Yes.”
If including SID with analytics, you must configure your analytics software to filter the SID from URLs, so the page visit counts are correct.
- Click Save Config.