A session token is a one-time bearer token that provides proof of authentication and may be redeemed for an interactive SSO session in Okta in a user agent. Session tokens can only be used once to establish a Session for a user and are revoked when the token expires.
A sessionToken may be passed as part of the following URLs:
- Establish a session using the
api/v1/sessionsendpoint:curl -v -X \POST \-H "Accept: application/json" \-H "Content-Type: application/json" \-H "User-Agent: Mozilla/5.0 (${systemInformation}) ${platform} (${platformDetails}) ${extensions}" \-d '{"sessionToken": "00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow"}' "https://${OktaDomainName}/api/v1/sessions"
-
Establishing a session using the
oauth2/v1/authorizeendpoint:https://${OktaDomainName}/oauth2/v1/authorize?client_id=${clientId}&response_type=id_token&scope=openid&prompt=none&redirect_uri=https://appName.example.com&state=Af0ifjslDkj&nonce=n-0S6_WzA2Mj&sessionToken=0HsohZYpJgMSHwmL9TQy7RRzuY
- api/v1/sessions
- oauth2/v1/authorize
- Okta Classic Engine
In a man-in-the-middle (MitM) scenario, an attacker attempts to intercept the sessionToken, and create their own session using the token, and block the original application from exchanging it.
This can only occur if the source application is vulnerable to Cross-Site Scripting (XSS). If the app is not vulnerable to XSS, there is no opportunity for an attacker to intercept and use the sessionToken.
The sessionToken is one-time use, and expires after 5 minutes.
To prevent XSS attacks, ensure the app is not vulnerable to Cross-Site Scripting.
