Session Attribution

Session Attribution helps build a coherent view of user behavior across multiple API calls. Instead of treating each request in isolation, AppSentinels groups them into sessions based on common session identifiers (like cookies, JWT tokens, or custom headers).

How it Works

Illustration

Below is a visual example of how session attribution works:

Cookie: language=en; welcomebanner_status=dismiss; cookieconsent_status=dismiss; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9
      

In this example, API requests carrying the same session token are grouped, allowing the platform to understand how the user navigated through the application, what resources were accessed, and whether the pattern matched known safe behaviors.

Configuring Session Attribution

Custom session attribution allows you to define how AppSentinels identifies user sessions using fields specific to your application (such as custom headers, cookies, or tokens).

Steps to Configure Custom Session Attribution

  1. Navigate to: Settings → Session & User Attribution → Session Attribution tab.
  2. Click: + New Custom Attribution to open the configuration form.
  3. Fill in the following fields:
Field Description
Field Location Choose where the session identifier is located. Options: Req.Header, Req.Cookie, Resp.Header, Resp.Body, etc.
Field sublocation Enter the exact key where the session ID/token appears (e.g., authorization, x-access-token, jsessionid). This field is mandatory.
Type (optional) Select the token format if applicable, such as bearer.jwt. This helps AppSentinels parse and extract session details from JWT tokens.
Field to extract session identifier (Only required for JWT) Specify which claim to extract from the token (e.g., sub, sessionId).
Regex (optional) The Regex toggle allows you to specify whether the selected APIs should be matched based on regular expressions against the API URI rather than exact matches.
APIs Select the APIs this custom rule should apply to. This allows AppSentinels to apply session stitching only where needed.

Click Add to save the custom attribution.

Example Configuration

This configuration tells AppSentinels to use the Authorization header, extract the JWT, and use the sub claim as the unique session ID.