Secure communication

Transport Layer Security (TLS) is a protocol for protecting internet communications. TLS ensures that a communication is not read or changed by another entity. Blackboard Learn uses TLS to secure communications between the Web server and the client machine.

Session management

Session ID lifecycle

Each session in Blackboard Learn is protected by a cryptographically secure session identifier, stored inside a browser cookie. To help protect from session fixation attacks, the session identifier is rotated on page load, after successful login, and after logout.

Cookies

We set two simple cookie flags as an added measure against session hijacking on the session management-related cookie by default: HttpOnly and Secure.
 
BbRouter is the only cookie used for session management. It has the HttpOnly flag set which provides an additional layer of protection from unauthorized access by potentially malicious client-side scripts. Learn has long required TLS to be enabled system-wide. In an abundance of caution, the Secure flag is set to prevent browsers from sending the cookie over HTTP without TLS ("SSL").
 
The JSESSIONID cookie is not related to session management and does not have the HttpOnly nor the Secure flag set. 
 
In SaaS, two additional cookies are present which do not have the Secure and HttpOnly flags: AWSELB and AWSELBCORS. Learn is largely stateless, however, a modicum of session affinity exists which is implemented on the load balancer using those cookies. You can learn more about these cookies from the AWS article, Configure sticky sessions for your Classic Load Balancer.

Session expiration

Sessions automatically expire after a user has been idle beyond a pre-configured duration. Sessions may also be manually expired through an explicit logout.

Session fingerprinting

Session fingerprinting can help detect when a user's session has been hijacked by a malicious attacker. A fingerprint helps uniquely identify users, for example, by using their computer's IP address or the type of browser (User Agent) that they are using. Session fingerprinting is a mitigating control to reduce the risk of session hijacking by a malicious attacker.

Blackboard highly recommends enabling this control. To properly enable this control, you must select both Enable session fingerprinting and Create new session when fingerprinting changes.

Configure session fingerprinting

On the Administrator Panel, under Security, select Session Fingerprint Settings. The following table describes the available fields.

FieldDescription
Enable session fingerprintingSelect Yes to enable session fingerprinting.
Log LocationThe location to which changes to users' fingerprints will be logged. Learn more about system logs
Fingerprint Value

Choose which values to include in the session fingerprint: IP address, User agent, or both. To minimize multiple login prompts, it is recommended to use the IP address only, since changes to the IP address should be less frequent than changes to the User Agent.

  • IP address: The IP address is the address of the user's computer. Generally this will not change during a session. However, there are instances where this may occur, for example, when using certain Internet Service Providers.
  • User Agent: The user agent indicates the particular browser, Operating System, and other minor software details about the browser the user is using to access the site. This value is generated by the browser and may not be accurate. For example, in Safari, the Operating System version never changes. Users can usually override it with browser extensions.
Filter IP AddressesThis option was added with a default ruleset to work around problems with AOL, a U.S. internet service provider. While this feature still works for that unique purpose, it shouldn't be used in any other capacity because there is no control panel to edit the ruleset.
Create new session when fingerprint changes

Select Yes to force a new session to be created when a user's fingerprint changes. For valid hijacking attempts, this will cause the hijacker to see the login page while the user maintains the current session. However, if any false positives occur (as mentioned above in the Fingerprint value section), the user will have to log in again. This is a tradeoff between security and convenience.

A login prompt will appear when the multiple file applet loads when you set "Create new session when fingerprint changes" to Yes.