In this article, we learn how to configure various cookie and session management properties on the Zoom Webmin and Preview Server.
By learning about cookie and session properties, one can fine tune the settings according their environment and make them more secure.<\/p>\n\n\n\n
Evolphin Preview Server hosts and provides various functionalities like Webclient, Preview generation, Streaming of Videos, APIs etc…
To use any of the Preview server features, one has to establish an authenticated session and obtain a authenticated cookie.
Admins need carefully tune the cookies and session timeouts to serve the best user experience.<\/p>\n\n\n\n
Note:<\/strong> Web applications settings for Webclient, WebVAB and APIs are similar but present in the different sections in the preview-server.xml<\/strong> file, so each application can be configured independently.<\/p>\n\n\n\n It is possible to configure the similar cookie and session properties on the Zoom webmin. To do this, one has to edit the As, you can see above, you can add\/edit the section: <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" In this article, we learn how to configure various cookie and session management properties on the Zoom Webmin and Preview Server.By learning about cookie and session properties, one can fine tune the settings according their environment and make them more secure. Preview Server Evolphin Preview Server hosts and provides various functionalities like Webclient, Preview generation, […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[27,92,166,120],"tags":[235,98,202,234],"class_list":["post-15988","post","type-post","status-publish","format-standard","hentry","category-administration-server","category-preview","category-security","category-preview-faq","tag-cookie","tag-preview-server","tag-security","tag-session"],"yoast_head":"\nVarious web applications on Preview Server<\/h3>\n\n\n\n
Understanding XML tags<\/h3>\n\n\n\n
WARNING<\/span><\/strong>: Changing this value is not recommended and might result in unexpected application misbehavior.<\/li>
WARNING<\/strong>: Changing this value is not recommended and might result in unexpected application misbehavior.<\/li>
NOTE<\/span><\/span>:<\/strong> Older version of Preview server has this value default set to -1(Never expire)<\/strong>. We recommend admins to inspect this value and change to some fixed number of seconds, for example may be 7days. This property causes browser to discard the stored cookie after this fixed amount of time. Do not set this value to too low otherwise user’s will be logged out even before the idle session timeout.
NOTE<\/span>: <\/strong>Zoom version 8.x<\/strong> or higher default equivalent value of this property is changing to 7 days, even if the XML has the value -1, the effective value would be equivalent to 7 days. <\/li>
NOTE<\/span><\/span>:<\/strong> It is recommended to use HTTPS<\/strong> and set this property to true<\/strong>.<\/li>
NOTE:<\/strong> It is recommended to set this property to true<\/strong>.<\/li>
Just settings this value higher won’t results the users to stay logged in longer, as other factors like concurrent session timeout<\/em>, Zoom cookie timeout<\/em> also plays the role in user session timeout. Webclient users will get logged out if Concurrent session timeout is less than this property. So, please make sure you set this value according to the value present on the Zoom server. For more details read this Zoom License<\/a> article.
NOTE<\/span>:<\/strong> Older version of Preview server has this value default set to -1(Never expire)<\/strong>. We strongly recommend admins to inspect this value and change to some fixed number of seconds. For example: You can set this to 1800 for 30mins of idle interval.
NOTE<\/span>:<\/strong> Zoom version 8.x<\/strong> and onward default equivalent value of this property is changing to 30mins, even if the XML has the value -1, the effective value would be equivalent to 30mins.<\/li>
NOTE:<\/span><\/strong> This property is only available in 8.X or higher version.
To set set the SameSite<\/strong> attribute, use it like this: <customCookieAttribute>SameSite=Strict<\/customCookieAttribute><\/code>SameSite=Strict<\/code><\/strong> => Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.<\/li>SameSite=Lax<\/code> => Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.<\/li>SameSite=None<\/code> => Cookies will be sent in all contexts, i.e sending cross-origin is allowed. Note:<\/strong> None<\/code> requires the Secure<\/code><\/a> attribute to be true. If you are setting none, please secureCookie<\/code> to true<\/code>.
<\/li><\/ol><\/li><\/ol>\n\n\n\nRecommendations<\/strong><\/h3>\n\n\n\n
Example of preview-server.xml<\/strong><\/h2>\n\n\n\n
<previewserverspec>\n <reviewWebAppSpec>\n <webpath>\/review<\/webpath>\n <cookieName>REVIEW_SESSION_COOKIE<\/cookieName>\n <sessionAge>604800<\/sessionAge>\n <sessionPath>\/review<\/sessionPath>\n <secureCookie>true<\/secureCookie>\n <httpOnly>true<\/httpOnly>\n <maxSessionInactiveInterval>3600<\/maxSessionInactiveInterval>\n <sessionTrackingMode>COOKIE<\/sessionTrackingMode>\n <customCookieAttribute>SameSite=Strict<\/customCookieAttribute>\n <\/reviewWebAppSpec>\n <webVabAppSpec>\n <webpath>\/vab<\/webpath>\n <cookieName>WEBVAB_SESSION_COOKIE<\/cookieName>\n <sessionAge>604800<\/sessionAge>\n <sessionPath>\/vab<\/sessionPath>\n <secureCookie>true<\/secureCookie>\n <httpOnly>true<\/httpOnly>\n <maxSessionInactiveInterval>3600<\/maxSessionInactiveInterval>\n <sessionTrackingMode>COOKIE<\/sessionTrackingMode>\n <\/webVabAppSpec>\n <webclientAppSpec>\n <webpath>\/webclient<\/webpath>\n <cookieName>WEBCLIENT_SESSION_COOKIE<\/cookieName>\n <sessionAge>604800<\/sessionAge>\n <sessionPath>\/webclient<\/sessionPath>\n <secureCookie>true<\/secureCookie>\n <httpOnly>true<\/httpOnly>\n <maxSessionInactiveInterval>3600<\/maxSessionInactiveInterval>\n <sessionTrackingMode>COOKIE<\/sessionTrackingMode> \n <customCookieAttribute>SameSite=Strict<\/customCookieAttribute>\n <\/webclientAppSpec>\n.....\n.....\n<\/previewserverspec><\/code><\/pre>\n\n\n\nZoom Webmin<\/h3>\n\n\n\n
server.xml<\/code> file by hand.
Note: <\/strong>Supported in v8.0 or higher<\/p>\n\n\n\nExample of webmin app spec from server.xml<\/h4>\n\n\n\n
<serverspec>\n ...\n ...\n <webserverspec>\n ...\n ...\n <webminWebAppSpec> \n <httpOnly>true<\/httpOnly>\n <secureCookie>true<\/secureCookie>\n <customCookieAttributes>SameSite=None<\/customCookieAttributes> \n <maxSessionInactiveInterval>1800<\/maxSessionInactiveInterval>\n <\/webminWebAppSpec>\n <\/webserverspec>\n...\n...\n<\/serverspec><\/code><\/pre>\n\n\n\n
<serverspec> => <webserverspec> => <webminAppSpec<\/code>><\/p>\n\n\n\nProperties you are allowed to edit<\/h3>\n\n\n\n
httpOnly<\/code> Default is true<\/li>secureCookie<\/code> Default is true.<\/li>customCookieAttributes<\/code> Default is whatever set by browser.<\/li>maxSessionInactiveInterval<\/code> Default is 30mins<\/li><\/ul>\n\n\n\nReferences<\/h4>\n\n\n\n