Session validation context

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Session validation context

The Session Validation Context in ServiceNow provides an additional security layer to protect against session or cookie hijacking by validating users' session IP addresses. It integrates with the Adaptive Authentication Policy Framework to enforce IP restrictions during an active session, enhancing protection for authenticated users. This feature is configurable, applies only to post-login requests, and is not applicable for guest sessions or native mobile apps.

Show full answer Show less

Key Features

Integration with Adaptive Authentication: Works with authentication policies to allow or deny access based on IP address and other conditions.
Session IP Address Validation: Captures the user’s IP address at session creation and validates subsequent requests against this IP or allowed IP ranges.
Policy Configuration: Supports Allow Policy (default deny, allow on condition) or Deny Policy (default allow, deny on condition) modes; only IP, Role, and Group filter criteria are supported.
Post-login Enforcement: Executes only after user authentication, enabling dynamic session control.

Practical Use and Benefits

Prevents Session Hijacking: Blocks access if session cookies are used from unauthorized IP addresses, protecting against impersonation.
Network Security: Restricts user sessions when accessing from insecure or unexpected networks based on configured IP ranges.
Granular Control: Allows defining IP restrictions by user group or role, enabling tailored security policies per organizational needs.

Configuration Considerations

The Session Validation Context record includes fields for naming, description, default policy behavior, and selecting Allow or Deny policies.
Policy inputs and conditions can be reviewed but must be edited directly in the referenced authentication policy records.
Only authenticated user sessions are subject to this validation; it does not apply to guests or native mobile app sessions.

ServiceNow customers can leverage the Session Validation Context to enhance session security by enforcing IP-based restrictions within authenticated sessions, thereby reducing risks of unauthorized access and improving compliance with security policies.

Use the Session Validation Context as an additional layer of protection against session or cookie hijacking.

You can use the Session Validation Context with the Adaptive authentication policy framework. The framework uses authentication policies to evaluate authentication requests and then either denies or allows access based on policy inputs and conditions.

The Session Validation Context policy can be used in conjunction with post auth policy, where an admin can enforce IP restrictions to certain or all users during the logged in session.

The Session Validation Context feature evaluates the IP-addresses based on the conditions you set and allows access to the instance within a session. The Session Validation Context outcome is set based on selecting Allow Policy as this policy terminates the user session immediately unless one of the policy conditions defined in the allow access policy evaluates to true.

Note:

The Session Validation Context for an authentication policy can only be with Allow Policy.

The Session Validation Context works based on the following mechanism:

Captures the user's IP address on session creation from user request and stores it in the session and database.
Rejects a request when its IP address differs from that in the session or outside of the customer defined valid IP ranges you defined.

Note:

The Session Validation Context is:

Available only for authenticated users.
Not applicable for guest user sessions or native mobile apps.
Optional and based on the requirement that it can be configured.
Executed only for the post-login requests.

Benefits of Session Validation

The Session Validation Context has the following benefits:

Restricts access to ServiceNow® when hijackers copy a user's session cookies from one device to another to impersonate the session.
Restricts the user's session access if they're using an insecure network.
Configures the various rules and IP ranges by user group or role for user logins.

Session Validation context record

Policies in the session validation context execute post-login requests.

Use the fields in the session validation policy context record to define how your instance uses your policy.

Table 1. Session Validation context form
Field	Description
Name	Name of the policy context. This field is static and can’t be changed.
Description	Description of the context.
Default Policy	Defines the default behavior of this context when evaluating the policy. Select from the following options. Allow Policy Denies access to all users by default, and only allows access when the conditions in the Allow Policy field evaluate to true. Deny Policy Allows access to all users by default, and only denies access when the conditions in the Deny Policy field evaluate to true.
Allow Policy	The policy used for this context. This field appears only when the Default Policy field is set to Allow Policy.
Deny Policy	The policy used for this context. This field appears only when the Default Policy field is set to Deny Policy.

You can choose the Session Validation Policy as Allow Policy or Deny Policy based on the policy input and policy conditions.

Note:

You can only use the IP, Role, and Group filter criteria for Session Validation policy.

Policy inputs and conditions

The Policy Input and Policy Conditions tabs display the inputs and conditions of the policy selected in the Allow Policy or Deny Policy field. These tabs serve as a reference; but they can’t be used to change the policy inputs or conditions. To modify your policy, navigate to the policy using the reference icon next to the Allow Policy or Deny Policy field.