Session Protection
Keep sessions from being used on unauthorized devices
Repacket Session Protection safeguards HttpOnly cookies by default.
Overview
Session Protection is an advanced security feature that prevents cookie theft and session hijacking attempts by encrypting cookies before they reach the browser. This works even in the face of malware or XSS vulnerabilities.
Cookie Encryption
Secure cookies from theft through client-side encryption and decryption
Pre-configured Rules
Ready-to-use protection for popular business services like Google, Okta, and GitHub
Custom Cookie Rules
Define protection based on cookie names, parameters, or domains
HttpOnly Support
Automatic protection for HttpOnly cookies across all sites
How It Works
Even with strong passwords and multi-factor authentication, users remain vulnerable to session hijacking through malware or cross-site scripting (XSS) attacks that can steal authentication cookies after login.
Session Protection addresses this vulnerability through a unique approach:
- Cookie Encryption: Cookies are encrypted before reaching the user’s browser, so the browser never sees the actual cookie values
- Dynamic Decryption: When legitimate requests are made, Repacket decrypts the cookies on-the-fly
- Theft Prevention: Any stolen cookies become useless when used on any other machine or browser
This protection works transparently to users while maintaining compatibility with most web applications. This feature may be incompatible with some websites where the webpage needs plaintext access to the cookie.
In addition to encrypting cookies, you can choose to block them completely. This is useful for reducing tracking cookies or other non-essential cookies from third-party services.
Configuring Session Protection
Session Protection can be configured via the Protections page on our dashboard.
Navigate to Protections
Go to the Protections section in your Repacket dashboard.
Create a new rule
Click “Create new rule” and select “Session Protection” as the rule type.
Select applications
Choose from the application dropdown which services to apply protection to (Google, GitHub, etc.), or select “Custom” to define your own.
Configure cookie settings
For pre-configured applications, the recommended cookie settings are applied automatically.
For custom rules, specify:
- Cookie names (using regular expressions if needed)
- Cookie parameters to match (HttpOnly, Secure, etc.)
- Whether to encrypt cookies or block them entirely
Define exceptions
Optionally specify user groups or scenarios where protection should not apply.
Save your rule
Apply changes to enforce the session protection across your network.
Supported Applications
Repacket includes pre-configured session protection rules for major business services:
- Google Workspace
- Okta
- Atlassian
- GitHub
- Zoom
- YouTube
- Figma
Additionally, Repacket automatically enables protection for all cookies marked “HttpOnly” across all websites. Since JavaScript cannot access these cookies by design, encrypting them is always safe and doesn’t affect functionality.
Best Practices
Related Features
Was this page helpful?