Session Attribution
Session Attribution helps build a coherent view of user behavior across multiple API calls. Instead of treating each request in isolation, AppSentinels groups them into sessions based on common session identifiers (like cookies, JWT tokens, or custom headers).
How it Works
-
Common session keys (like
JSESSIONID,Authorization, oraccess_token) are extracted from headers, query parameters, or cookies. - The platform links multiple API requests that share the same session key and stitches them into a user session timeline.
- This enables behavior-based analysis, helping detect anomalies such as credential stuffing, session hijacking, or unexpected usage bursts.
Illustration
Below is a visual example of how session attribution works:
Cookie: language=en; welcomebanner_status=dismiss; cookieconsent_status=dismiss; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9
In this example, API requests carrying the same session token are grouped, allowing the platform to understand how the user navigated through the application, what resources were accessed, and whether the pattern matched known safe behaviors.
Configuring Session Attribution
Custom session attribution allows you to define how AppSentinels identifies user sessions using fields specific to your application (such as custom headers, cookies, or tokens).
Steps to Configure Custom Session Attribution
- Navigate to: Settings → Session & User Attribution → Session Attribution tab.
- Click: + New Custom Attribution to open the configuration form.
- Fill in the following fields:
| Field | Description |
|---|---|
| Field Location | Choose where the session identifier is located. Options: Req.Header, Req.Cookie, Resp.Header, Resp.Body, etc. |
| Field sublocation |
Enter the exact key where the session ID/token appears (e.g.,
authorization, x-access-token,
jsessionid). This field is mandatory.
|
| Type (optional) |
Select the token format if applicable, such as
bearer.jwt. This helps AppSentinels parse and extract
session details from JWT tokens.
|
| Field to extract session identifier |
(Only required for JWT) Specify which claim to extract from the
token (e.g., sub, sessionId).
|
| Regex (optional) | The Regex toggle allows you to specify whether the selected APIs should be matched based on regular expressions against the API URI rather than exact matches. |
| APIs | Select the APIs this custom rule should apply to. This allows AppSentinels to apply session stitching only where needed. |
Click Add to save the custom attribution.
Example Configuration
- Field Location: Req.Header
- Field sublocation: authorization
- Type: bearer.jwt
- Field to extract session identifier: sub
- APIs: POST /user/login, GET /user/profile
-
Regex (optional): If you enable Regex and enter
/api/v1/.*, the session attribution will apply to all APIs under/api/v1/.
This configuration tells AppSentinels to use the Authorization header,
extract the JWT, and use the sub claim as the unique
session ID.