After July 2021, the 2.3.x release line no longer received quality updates or user guide updates. PHP 7.3 reached end of support in December 2021, and Adobe Commerce 2.3.x reached end of support in September 2022. We strongly recommend upgrading to Adobe Commerce 2.4.x to help maintain PCI compliance.

Session Validation

This site contains archived merchant documentation for a version of Adobe Commerce and Magento Open Source that has reached end-of-support. The documentation available here is intended for historical reference only and is not maintained. The Adobe Commerce Merchant Documentation for current releases is published on the Adobe Experience League.

Magento allows you to validate session variables as a protective measure against possible session fixation attacks or attempts to poison or hijack user sessions. The Session Validation Settings determine how session variables are validated during each store visit and if the session ID is included in the URL of the store.

For technical information, see Use Redis for session storage in the developer documentation.

General configuration - Web session validation Session Validation Settings

The validation checks to see that visitors are who they say they are by comparing the value in the validation variables against the session data that is already stored in $_SESSION data for the user. Validation fails if the information is not transmitted as expected, and the corresponding variable is empty. Depending on the session validation settings, if a session variable fails the validation process, the client session immediately terminates.

Enabling all of the validation variables can help prevent attacks, but might also impact the performance of the server. By default, all session variable validation is disabled. We recommend that you experiment with the settings to find the best combination for your Magento installation. Activating all of the validation variables might prove to be unduly restrictive, and could prevent access to customers who have Internet connections that pass through a proxy server or originate from behind a firewall. To learn more about session variables and their use, see the system administration documentation for your Linux system.

Configure the Session Validation Settings

  1. On the Admin sidebar, go to Stores > Settings > Configuration.

  2. In the left panel, expand General and choose Web.

  3. Expand Expansion selector the Session Validation Settings section.

  4. Set each of the configuration options:

    • Validate REMOTE_ADDR — Set to Yes to verify that the IP address of a request matches what is stored in the $_SESSION variable.

    • Validate HTTP_VIA — Set to Yes to verify that the proxy address of an incoming request matches what is stored in the $_SESSION variable.

    • Validate HTTP_X_FORWARDED_FOR — Set to Yes to verify that the forwarded-for address of a request matches what is stored in the $_SESSION variable.

    • Validate HTTP_USER_AGENT — Set to Yes to verify that the browser or device that is used to access the store during a session matches what is stored in the $_SESSION variable.

  5. When complete, click Save Config.

© 2024 Adobe. All rights reserved.