> ## Documentation Index
> Fetch the complete documentation index at: https://docs.repacket.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Session Protection

> Keep sessions from being used on unauthorized devices

<Note>
  Repacket Session Protection safeguards HttpOnly cookies by default.
</Note>

## Overview

Session Protection is an advanced security feature that prevents cookie theft and session hijacking attempts by encrypting cookies before they reach the browser. This works even in the face of malware or XSS vulnerabilities.

<CardGroup cols={2}>
  <Card title="Cookie Encryption" icon="lock" color="#07edb5">
    Secure cookies from theft through client-side encryption and decryption
  </Card>

  <Card title="Pre-configured Rules" icon="sparkles" color="#07edb5">
    Ready-to-use protection for popular business services like Google, Okta, and GitHub
  </Card>

  <Card title="Custom Cookie Rules" icon="sliders" color="#07edb5">
    Define protection based on cookie names, parameters, or domains
  </Card>

  <Card title="HttpOnly Support" icon="cookie" color="#07edb5">
    Automatic protection for HttpOnly cookies across all sites
  </Card>
</CardGroup>

## How It Works

Even with strong passwords and multi-factor authentication, users remain vulnerable to session hijacking through malware or cross-site scripting (XSS) attacks that can steal authentication cookies after login.

Session Protection addresses this vulnerability through a unique approach:

1. **Cookie Encryption**: Cookies are encrypted before reaching the user's browser, so the browser never sees the actual cookie values
2. **Dynamic Decryption**: When legitimate requests are made, Repacket decrypts the cookies on-the-fly
3. **Theft Prevention**: Any stolen cookies become useless when used on any other machine or browser

This protection works transparently to users while maintaining compatibility with most web applications. This feature may be incompatible with some websites where the webpage needs plaintext access to the cookie.

In addition to encrypting cookies, you can choose to block them completely. This is useful for reducing tracking cookies or other non-essential cookies from third-party services.

## Configuring Session Protection

Session Protection can be configured via the [Protections](https://app.repacket.com/gateway#protections) page on our dashboard.

<Steps>
  <Step title="Navigate to Protections">
    Go to the [Protections](https://app.repacket.com/gateway#protections) section in your Repacket dashboard.
  </Step>

  <Step title="Create a new rule">
    Click "Create new rule" and select "Session Protection" as the rule type.
  </Step>

  <Step title="Select applications">
    Choose from the application dropdown which services to apply protection to (Google, GitHub, etc.), or select "Custom" to define your own.
  </Step>

  <Step title="Configure cookie settings">
    For pre-configured applications, the recommended cookie settings are applied automatically.

    For custom rules, specify:

    * Cookie names (using regular expressions if needed)
    * Cookie parameters to match (HttpOnly, Secure, etc.)
    * Whether to encrypt cookies or block them entirely
  </Step>

  <Step title="Define exceptions">
    Optionally specify user groups or scenarios where protection should not apply.
  </Step>

  <Step title="Save your rule">
    Apply changes to enforce the session protection across your network.
  </Step>
</Steps>

## Supported Applications

Repacket includes pre-configured session protection rules for major business services:

* Google Workspace
* Okta
* Atlassian
* LinkedIn
* GitHub
* Zoom
* YouTube
* Figma

Additionally, Repacket automatically enables protection for all cookies marked "HttpOnly" across all websites. Since JavaScript cannot access these cookies by design, encrypting them is always safe and doesn't affect functionality.

## Best Practices

<AccordionGroup>
  <Accordion title="Prioritize Identity Providers">
    Start by protecting your identity provider services (Okta, Google, Microsoft) as these are high-value targets.
  </Accordion>

  <Accordion title="Test Before Deployment">
    When creating custom rules for internal applications, test thoroughly in a limited deployment before rolling out widely.
  </Accordion>

  <Accordion title="Block Non-Essential Cookies">
    Consider blocking tracking and analytics cookies entirely rather than encrypting them.
  </Accordion>

  <Accordion title="Maintain Cookie Compatibility">
    Be careful when encrypting cookies that JavaScript needs to access, as this may break site functionality.
  </Accordion>
</AccordionGroup>

## Related Features

<CardGroup cols={2}>
  <Card title="Protections" icon="shield-halved" href="/modules/protections">
    Manage all protection rules in one place
  </Card>

  <Card title="Phishing Prevention" icon="fishing-rod" href="/modules/phishing-prevention">
    Detect and block sophisticated phishing attempts
  </Card>

  <Card title="Firewall" icon="filter" href="/modules/firewall">
    Control internet access with granular access rules
  </Card>

  <Card title="Data Loss Prevention" icon="binary-lock" href="/modules/dlp">
    Prevent sensitive data from being uploaded to unapproved platforms
  </Card>
</CardGroup>
