This guide walks you through the required configuration to populate the verifications, sessions, and profiles sections within the Cymatic app.

Once the steps outlined below are completed, you will gain insight into authentication submissions, user-level analytics for how the user base interacts with your web app, risks presented by your authenticated user base, and the capability to log an authenticated user out of your web application if necessary.

Upon completion of this guide, you will gain user-level session visibility and control, insight into various risks your authenticated user base is exposing your web application to, user-based profile information, and user-based session history.

Step 1: Create a cookie in your web application

For Cymatic to track user authentication and behavior, a cookie is required. Due to the amount of customization options available when creating a cookie, it is typically easier to create a new one for Cymatic to use as opposed to leveraging an existing cookie. Although an existing cookie more than likely exists on your web app, if certain parameters have been modified, it may cause unexpected results within the Cymatic app.
There are numerous different languages that can be used to create web applications. Cymatic does its best to provide documentation for all available languages. If your web app is written in a language that is not documented in this guide, please let us know and we will get it added as soon as possible. Keep in mind that just because it is not documented does not mean it is not supported. Regardless of the language your web app is coded in, the following is a sample of what needs to be pushed out to the browser to create the cookie:
Set-Cookie: username=some_value; Path=/; Domain=.example.com
To perform the following steps, you will need access to modify the HTML of the web application pages you would like to deploy Cymatic on. The following code blocks are samples. To work with your unique web app, customization may be required.
For accurate session information and control, Cymatic requires the following:

The HttpOnly flag needs to be disabled.
The cookie should be set at the time your web application determines an authentication request to be legitimate and the user is logged in.
The cookie should be deleted when the user logs out of your app.

To create the cookie in the following languages:

ExpressJS
res.cookie('cymatic-cookie', 'cookie-value', { expires: new Date(Date.now() + 900000), httpOnly: false });
Golang
cookie := &http.Cookie{
Name: "cymatic-cookie",
Value: "cookie-value",
MaxAge: 900000,
HttpOnly: false
}
req.AddCookie(cookie)

PHP
<?php
$arr_cookie_options = array (
'expires' => time() + 60*60*24*30,
'path' => '/',
'domain' => '.example.com',
'secure' => true,
'httponly' => false,
'samesite' => 'None'
);
setcookie('cymatic-cookie', 'cookie-value', $arr_cookie_options);
?>

Spring
Cookie cookie = new Cookie("cymatic-cookie","cookie-value");
cookie.setMaxAge(7 * 24 * 60 * 60);
cookie.setSecure(true); cookie.setHttpOnly(false);
response.addCookie(cookie);

To delete the cookie in the following languages:

ExpressJS
res.cookie('cymatic-cookie', {expires: Date.now()});
res.clearCookie("cymatic-cookie");

Golang
cookie := &http.Cookie{
Name: "cymatic-cookie",
Value: "",
MaxAge: -1,
HttpOnly: false
}
req.SetCookie(cookie)

PHP
unset($_COOKIE['cymatic-cookie']);
setcookie('cymatic-cookie', '', time() - 3600, '/');

Spring
Cookie cookie = new Cookie("cymatic-cookie", null);
cookie.setMaxAge(0);
cookie.setSecure(true);
cookie.setHttpOnly(false);
response.addCookie(cookie);

Step 2: Configure the cookie in the Cymatic app
Now that the cookie is created in your app, you need to let Cymatic know the name of the cookie. Log in to the Cymatic web app. Once authenticated, from the sites page click on the site you want to define the cookie on. Navigate to settings > Cymatic > sessions. In the cookie settings section, enter the name of the cookie in the text box. In the upper right hand corner, click on the 'save changes' button.

Step 3: Set the logout URL in the Cymatic app

If you would like to grant Cymatic the ability to log a user out of their session, the logout URL needs to be provided to the Cymatic app. There are numerous reasons you may want to log the user out including risk, password vulnerabilities, account takeover, etc. To determine the logout URL of your web app, log in to the app with a valid account. Once logged in, hover over the logout button with the cursor. In the bottom left hand corner of the browser, you should see a URL appear. This is the logout URL.

Now that we know the logout URL, enter it in the Cymatic app at settings > Cymatic > sessions > close session. Enter the URL into the text box labeled 'URL'.

The last part required is to let Cymatic know if the HTTP request for the logout page requires a GET or POST request. If you are not sure which one your app requires, it can be easily determined in your browser. Open the developer tools in your with the F12 button. Click on the network tab. While logged in to your web app, click on the log out button. In the name portion of the network page in the developer tools, find the name of the logout page. In this example, it is logout.php. Click on the name of the page, and to the right of the name section, click on the 'headers' button. In the output displayed, find the 'request method' header. It should say either GET or POST.

This is the value you want to choose in the Cymatic app at settings > Cymatic > sessions > close session > method. Once selected, click on 'save changes' in the upper right hand corner.

Step 4: Test

With the session cookie and logout URL configured, it is now time to test the settings. To test, log in to your web app with a valid set of credentials. Once authenticated, open up another tab in your browser and log in to the Cymatic app. Once logged in, navigate to activity logs. When configured correctly, you should see an entry with your interactions on the landings, pre verifications, verifications, and sessions tab. The verifications and sessions tabs are populated by the steps we just completed.

Another area in the Cymatic app that is now being populated is the profiles section. Each time there is a successful login, the Cymatic app will create a new profile or add the session to an existing profile with the same user name. This is performed automatically with no added friction to the end user of your web app. A Cymatic ID is also automatically added to the username profile. Click on the Cymatic ID for your profile in the profiles section. Once in the profile, click on the sessions tab. In the session ID field, you will see either a grey or green dot. A grey dot indicates that the session has been closed and the user is no longer logged in for that session. If the dot is green, the session is still active. To test the logout functionality, make sure you are still logged in to your app and find the session in Cymatic tied to your profile with the green dot. You can close the session from the ellipsis on the right hand side of the active session listing, or you can close it from within the session details by clicking on the ellipsis in the upper right hand corner. To close the session in either scenario, click on the ellipsis, then select 'close active session.' In the popup, click on 'close session'. If configured correctly, your active session in the other tab should be logged out.

If the profiles, verifications, or sessions sections are not populated, please try the following:
Clear the cache in your browser and try to access the page you deployed Cymatic on again.
In the browser tab that is on the page you deployed Cymatic on, right click the page and select "view page source." When the new tab opens up, search for "Cymatic" to confirm the snippets are present.
Confirm that the URL you typed in the browser to access your web application matches the URL entered in the Cymatic app for the site.
Confirm the cookie is deployed correctly and the name is configured in the Cymatic app. To confirm the cookie is deployed correctly, open the developer tools console of your browser that is logged in to your web app. You should be able to see the name of the cookie in the following location:

Log out of the Cymatic app and log back in.

If further assistance is needed, please contact us.
Was this article helpful?
Cancel
Thank you!