Rotate HTTP session identifiers

Rversion finale: Australia

Mis à jour 12 mars 2026

1 minute de lecture

Use the glide.ui.rotate_sessions property to enable rotation of the HTTP session identifiers to reduce security vulnerabilities.

If an unauthenticated user's session ID doesn't change after authentication, a web application is vulnerable to a session fixation attack. A malicious user could start an unauthenticated session and give the associated session ID to the victim. Once the victim authenticates, the malicious user now shares that authenticated session.

More information


Attribute	Description
Property name	glide.ui.rotate_sessions
Configuration type	System Properties (/sys_properties_list.do)
Category	Session management
Purpose	To achieve more secure session authentication.
Recommended value	true
Default value	true
Security risk rating	8.8
Functional impact	This remediation modified the SessionID when user navigates from unauthenticated page to authenticated pages. If you are using a proxy or hardcoding the SessionID when a user first logs in, or for any purpose, then there can be a potential functionality impact. If you are using the SAML 2.0 plugin for Single Sign-on authentication, it might interfere with the session information sharing between the instance and the Identity Provider. In such case, you can set this property to false.
Security risk	(Moderate) SessionID is used to process and authenticate the instance user by maintaining the session state on the browser. Thus, SessionID is deemed as sensitive data and should be secure by default. Session Rotation is a security control that enforces the alteration of sessionID whenever the user navigates from unauthenticated pages to authenticate pages.
References	Authentication with SAML

To learn more about adding or creating a system property, see Add a system property.