Transport Layer Security (TLS) is a protocol for protecting Internet communications. TLS ensures that a communication is not read or changed by another entity. Blackboard Learn uses TLS to secure communications between the Web server and the client machine.
Session ID lifecycle
Each session in Blackboard Learn is protected by a cryptographically secure session identifier, stored inside a browser cookie. To help protect from session fixation attacks, the session identifier is rotated on page load, after successful login, and after logout.
We set two simple cookie flags as an added measure against session hijacking on the session management-related cookies by default: HttpOnly and Secure.
The session_id and s_session_id cookies are used for session management. These cookies have the HttpOnly flag set. The HttpOnly flag provides an additional layer of protection from unauthorized access by potentially malicious client-side scripts. When TLS is enabled system-wide, though the session_id cookie is still present, only the s_session_id cookie is used for session management. The s_session_id has the added protection of the Secure flag. The JSESSIONID cookie is not related to session management and does not have the HttpOnly nor the Secure flag set.
Sessions automatically expire after a user has been idle beyond a pre-configured duration. Sessions may also be manually expired through an explicit logout. System Administrators may customize the default session timeout duration by editing the bb.session.invalidation task.
Properties to adjust
- Delay - Period before the server starts before the first task is run (milliseconds)
- Period - Frequency of invalidation task (milliseconds)
- Invalid - User session timeout period (milliseconds)
Session fingerprinting can help detect when a user's session has been hijacked by a malicious attacker. A fingerprint helps uniquely identify users, for example, by using their computer's IP address or the type of browser (User Agent) that they are using. Session fingerprinting is a mitigating control to reduce the risk of session hijacking by a malicious attacker.