Repacket Session Protection safeguards HttpOnly cookies by default.

Overview

Session Protection is an advanced security feature that prevents cookie theft and session hijacking attempts by encrypting cookies before they reach the browser. This works even in the face of malware or XSS vulnerabilities.

Cookie Encryption

Secure cookies from theft through client-side encryption and decryption

Pre-configured Rules

Ready-to-use protection for popular business services like Google, Okta, and GitHub

Custom Cookie Rules

Define protection based on cookie names, parameters, or domains

HttpOnly Support

Automatic protection for HttpOnly cookies across all sites

How It Works

Even with strong passwords and multi-factor authentication, users remain vulnerable to session hijacking through malware or cross-site scripting (XSS) attacks that can steal authentication cookies after login.

Session Protection addresses this vulnerability through a unique approach:

  1. Cookie Encryption: Cookies are encrypted before reaching the user’s browser, so the browser never sees the actual cookie values
  2. Dynamic Decryption: When legitimate requests are made, Repacket decrypts the cookies on-the-fly
  3. Theft Prevention: Any stolen cookies become useless when used on any other machine or browser

This protection works transparently to users while maintaining compatibility with most web applications. This feature may be incompatible with some websites where the webpage needs plaintext access to the cookie.

In addition to encrypting cookies, you can choose to block them completely. This is useful for reducing tracking cookies or other non-essential cookies from third-party services.

Configuring Session Protection

Session Protection can be configured via the Protections page on our dashboard.

1

Navigate to Protections

Go to the Protections section in your Repacket dashboard.

2

Create a new rule

Click “Create new rule” and select “Session Protection” as the rule type.

3

Select applications

Choose from the application dropdown which services to apply protection to (Google, GitHub, etc.), or select “Custom” to define your own.

4

Configure cookie settings

For pre-configured applications, the recommended cookie settings are applied automatically.

For custom rules, specify:

  • Cookie names (using regular expressions if needed)
  • Cookie parameters to match (HttpOnly, Secure, etc.)
  • Whether to encrypt cookies or block them entirely
5

Define exceptions

Optionally specify user groups or scenarios where protection should not apply.

6

Save your rule

Apply changes to enforce the session protection across your network.

Supported Applications

Repacket includes pre-configured session protection rules for major business services:

  • Google Workspace
  • Okta
  • Atlassian
  • LinkedIn
  • GitHub
  • Zoom
  • YouTube
  • Figma

Additionally, Repacket automatically enables protection for all cookies marked “HttpOnly” across all websites. Since JavaScript cannot access these cookies by design, encrypting them is always safe and doesn’t affect functionality.

Best Practices