Session validation context

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Session Validation Context

    The Session Validation Context in ServiceNow provides an additional security layer to protect against session or cookie hijacking by verifying the user’s IP address during a logged-in session. It integrates with the Adaptive Authentication Policy framework, which evaluates authentication requests and enforces access controls based on defined policies and conditions.

    Show full answer Show less

    This feature is executed only for authenticated users during post-login requests and is not applicable to guest sessions or native mobile apps. It allows administrators to enforce IP restrictions dynamically, helping secure user sessions especially when users access ServiceNow from potentially insecure networks.

    Key Features

    • IP Address Verification: Captures the user's IP address at session creation and stores it in the session and database. Subsequent requests are validated against this IP or configured valid IP ranges.
    • Policy Enforcement: Uses Allow Policy or Deny Policy to determine session access. Only the Allow Policy option is supported for session validation context, which denies access unless policy conditions evaluating IP, role, or group criteria are true.
    • Integration with Adaptive Authentication: Can be combined with post-authentication policies to restrict access based on IP address or user attributes during the active session.
    • Configuration Flexibility: Administrators can configure policies based on user groups or roles to tailor IP restrictions according to organizational needs.
    • Policy Input Constraints: Only IP, Role, and Group filters are permitted in session validation policies.

    How It Works

    • When a user logs in, their IP address is recorded and associated with their session.
    • For each subsequent request in that session, the IP address is validated against stored data and configured allowed ranges.
    • If the IP differs or falls outside the allowed ranges, access is denied and the session is terminated immediately.

    Practical Usage

    ServiceNow customers can leverage the Session Validation Context to:

    • Prevent session hijacking by ensuring that session cookies cannot be reused from different IP addresses.
    • Enforce security policies that restrict session access based on user location or network security posture.
    • Customize session validation policies for different user groups or roles, enhancing granular control over session security.

    Configuration Details

    The Session Validation Context record includes fields such as:

    • Name: The static identifier for the policy context.
    • Description: Explanation of the context’s purpose.
    • Default Policy: Determines the default access behavior (Allow Policy or Deny Policy).
    • Allow Policy/Deny Policy: References the specific policy applied based on the default policy setting.

    Policy inputs and conditions can be reviewed but not edited within the session validation context form. To modify them, administrators need to navigate to the referenced policy directly.

    Use the Session Validation Context as an additional layer of protection against session or cookie hijacking.

    You can use the Session Validation Context with the Adaptive authentication policy framework. The framework uses authentication policies to evaluate authentication requests and then either denies or allows access based on policy inputs and conditions.

    The Session Validation Context policy can be used in conjunction with post auth policy, where an admin can enforce IP restrictions to certain or all users during the logged in session.

    The Session Validation Context feature evaluates the IP-addresses based on the conditions you set and allows access to the instance within a session. The Session Validation Context outcome is set based on selecting Allow Policy as this policy terminates the user session immediately unless one of the policy conditions defined in the allow access policy evaluates to true.

    Note:
    The Session Validation Context for an authentication policy can only be with Allow Policy.

    The Session Validation Context works based on the following mechanism:

    • Captures the user's IP address on session creation from user request and stores it in the session and database.
    • Rejects a request when its IP address differs from that in the session or outside of the customer defined valid IP ranges you defined.
    Note:
    The Session Validation Context is:
    • Available only for authenticated users.
    • Not applicable for guest user sessions or native mobile apps.
    • Optional and based on the requirement that it can be configured.
    • Executed only for the post-login requests.

    Benefits of Session Validation

    The Session Validation Context has the following benefits:

    • Restricts access to ServiceNow® when hijackers copy a user's session cookies from one device to another to impersonate the session.
    • Restricts the user's session access if they're using an insecure network.
    • Configures the various rules and IP ranges by user group or role for user logins.

    Session Validation context record

    Policies in the session validation context execute post-login requests.

    Use the fields in the session validation policy context record to define how your instance uses your policy.

    Table 1. Session Validation context form
    Field Description
    Name Name of the policy context. This field is static and can’t be changed.
    Description Description of the context.
    Default Policy Defines the default behavior of this context when evaluating the policy. Select from the following options.
    Allow Policy
    Denies access to all users by default, and only allows access when the conditions in the Allow Policy field evaluate to true.
    Deny Policy
    Allows access to all users by default, and only denies access when the conditions in the Deny Policy field evaluate to true.
    Allow Policy The policy used for this context. This field appears only when the Default Policy field is set to Allow Policy.
    Deny Policy The policy used for this context. This field appears only when the Default Policy field is set to Deny Policy.

    You can choose the Session Validation Policy as Allow Policy or Deny Policy based on the policy input and policy conditions.

    Note:

    You can only use the IP, Role, and Group filter criteria for Session Validation policy.

    Policy inputs and conditions

    The Policy Input and Policy Conditions tabs display the inputs and conditions of the policy selected in the Allow Policy or Deny Policy field. These tabs serve as a reference; but they can’t be used to change the policy inputs or conditions. To modify your policy, navigate to the policy using the reference icon next to the Allow Policy or Deny Policy field.