Skip to main content
Blackboard Help

Session Fingerprinting

If you are a Managed Hosting customer, this topic doesn't apply to you.

Session fingerprinting can help detect when a user's session has been hijacked by a malicious attacker. A fingerprint helps uniquely identify users, for example, by using their computer's IP address or the type of browser (User Agent) that they are using.

Session fingerprinting is a mitigating control to reduce the risk of session hijacking by a malicious attacker. Enabling this control is highly recommended by Blackboard. To properly enable this control, you must enable both "Enable session fingerprinting", and "Create New Session When Fingerprinting Changes" where the Fingerprint Value is both IP Address, and User Agent.

Configure session fingerprinting

On the Administrator Panel, under Security, select Session Fingerprint Settings. The following table describes the available fields.

Field Description
Enable session fingerprinting Select Yes to enable session fingerprinting.
Log Location The location to which changes to users' fingerprints will be logged. To view the contents of the log, on the Administrator Panel, under Tools and Utilities, select Logs.
Fingerprint Value Choose which values to include in the session fingerprint: IP address, User agent, or both. There are pros and cons to each item you can include:
  • IP address: The IP address is the address of the user's computer. Generally this will not change during a session. However, certain Internet Service Providers, such as AOL, change the IP addresses of their users quite frequently. False positives can occur if users are coming from such ISPs.
  • User Agent: The user agent indicates the particular browser the user is using to access the site. This is the safest value to use in most cases because the browser will generally not change during a session. However, if the "persistent cookie" setting is enabled, false positives may occur if users are using Configuring WebDAV for Web Folders and Shared.

Recommended, when possible, to select both. This allows greater granularity in the fingerprint. If you are using a load balancer, the session fingerprinting capability today will not be able to discern the original client IP address from the load balancer IP address and it would be recommended to select the user agent.

Filter IP Addresses If you select IP address or IP address and user agent in the Fingerprint Value field, select Yes to exclude ranges of IP addresses from being included in the session fingerprints. This is useful for excluding trusted IP ranges or IP ranges of ISPs known to change addresses frequently, such as AOL. Customize the IP ranges by modifying the bb-session-fingerprint-excluded-addresses.txt configuration file.
Create New Session When Fingerprint Changes

Select Yes to force a new session to be created when a user's fingerprint changes. For valid hijacking attempts, this will cause the hijacker to see the login page while the user maintains the current session. However, if any false positives occur (as mentioned above in the Fingerprint value section), the user will have to log in again. This is a tradeoff between security and convenience. This option is not recommended if persistent cookies have been enabled or you are using IP address as part of the fingerprint because it will force users to re-login if they attempt to use a Web Folder/Shared Location or their IP address legitimately changes.

A login prompt will appear when the multiple file applet loads when you set "Create new session when fingerprint changes" to Yes.

Log location