HI Aron,
Thanks for sharing the videos.
The Enhanced Session Assurance feature does enhance security in terms of session replay or its use after session being hijacked.
Question 1) Correct me please if wrong -This feature does prevent session replay attack as it has fingerprint data but its all useful if session is already hijacked.becoz we are simply storing it as a part of session to avoid replay.I do understand the traditional flow for this featue pretty much comparable to Cookie provider and.ccc
Question 2) Isint there a bigger RISK when we actually allow device/user details to be set in cookie/session , simply because it allows hijackers more information about the user/device, while using the existing functionalities of Siteminder Webagent we can always prevent session reply with exposed parameters which are already part of session spec or rather SMSESSION.
isnt this betetr , If we consider Riskfort/Risk minder there are options where we can actually check characteristics of user/device (fingerprint data) at a runtime/checkpoint.(without storing all in cookie)
Say I am using RiskMinder in XYZ BANK and while paying to third party, I can just check if device fingerprint has changed since user logged in.
What are your thougts on this Sir.