Abstract: A client request message is received at a policy enforcement system from a client-side application intended for a server-side application. The client request message is forwarded to a server-side application. An application response message from the server-side application is intercepted at the policy enforcement system in response to the client request message, resulting in an intercepted application response message. The intercepted application response message is analyzed in view of context information and a network policy. Code to inject into the intercepted application response message is determined based on the analyzing. The code has instructions for eliminating accumulation of stale computing sessions. The code is injected into the intercepted application response message, resulting in a modified message. The modified message is forwarded to the client-side application for automatically executing the instructions on the client-side application.

Abstract: A client request message is received at a policy enforcement system from a client-side application intended for a server-side application. The client request message is forwarded to a server-side application. An application response message from the server-side application is intercepted at the policy enforcement system in response to the client request message, resulting in an intercepted application response message. The intercepted application response message is analyzed in view of context information and a network policy. Code to inject into the intercepted application response message is determined based on the analyzing. The code has instructions for eliminating accumulation of stale computing sessions. The code is injected into the intercepted application response message, resulting in a modified message. The modified message is forwarded to the client-side application for automatically executing the instructions on the client-side application.

Abstract: An example method facilitates dynamic runtime execution of computer code that is selectively injected into messages in accordance with predetermined configuration rules for automatic execution at a message destination. The injection of code into messages, such as messages exchanged during an authenticated computing session, by a policy enforcement system, can be used to efficiently effectuate enhance computing environment security and computing resource use. For example, in a specific embodiment, code for detecting a browser-close event and then terminating a computing session can be automatically executed client side via a browser extension or plugin, thereby helping to eliminate the accumulation of stale computing sessions; thereby mitigating associated security risks and computing resource consumption of stale computing sessions. In another example embodiment, injected code encrypts session cookies, such as via a Time based One Time Password (TOTP).

Abstract: Techniques for described for generating and using rule-enhanced access tokens in connection with authorization for access to resources. An access token is generated in response to determining that a user is authorized to access a protected resource. The access token contains rule information including one or more constraints, each constraint corresponding to a condition for granting or denying access to the protected resource. Upon receiving the access token, a client application can present the access token for accessing the protected resource. The client application can be configured to enforce one or more rules represented in the rule information. The client application can, for example, determine based on the one or more constraints that a condition for granting access is unmet and, in response, cancel a pending access request for the protected resource.

Abstract: Techniques for described for generating session-related timeout parameters that are user-specific in value. A user-specific timeout parameter offers several advantages over a static timeout parameter, including minimized the risk of session hijacking, fewer stale sessions to manage, and timeout parameters that more closely match the user's actual behavior. A value for a timeout parameter can therefore depend on information stored for a specific user. The stored information can indicate user behavior observed over a period of time encompassing multiple sessions and/or multiple accesses to the same or different resources. In certain embodiments, a value for a timeout parameter is determined by a prediction engine implemented using a machine learning (ML) model. The ML model may determine the timeout parameter based on information obtained records associated with the user for whom the timeout parameter value is being determined, as well as information from records associated with other users.

Abstract: An example method facilitates dynamic runtime execution of computer code that is selectively injected into messages in accordance with predetermined configuration rules for automatic execution at a message destination. The injection of code into messages, such as messages exchanged during an authenticated computing session, by a policy enforcement system, can be used to efficiently effectuate enhance computing environment security and computing resource use. For example, in a specific embodiment, code for detecting a browser-close event and then terminating a computing session can be automatically executed client side via a browser extension or plugin, thereby helping to eliminate the accumulation of stale computing sessions; thereby mitigating associated security risks and computing resource consumption of stale computing sessions. In another example embodiment, injected code encrypts session cookies, such as via a Time based One Time Password (TOTP).

Abstract: Techniques for described for generating session-related timeout parameters that are user-specific in value. A user-specific timeout parameter offers several advantages over a static timeout parameter, including minimized the risk of session hijacking, fewer stale sessions to manage, and timeout parameters that more closely match the user's actual behavior. A value for a timeout parameter can therefore depend on information stored for a specific user. The stored information can indicate user behavior observed over a period of time encompassing multiple sessions and/or multiple accesses to the same or different resources. In certain embodiments, a value for a timeout parameter is determined by a prediction engine implemented using a machine learning (ML) model. The ML model may determine the timeout parameter based on information obtained records associated with the user for whom the timeout parameter value is being determined, as well as information from records associated with other users.

Abstract: Techniques for described for generating and using rule-enhanced access tokens in connection with authorization for access to resources. An access token is generated in response to determining that a user is authorized to access a protected resource. The access token contains rule information including one or more constraints, each constraint corresponding to a condition for granting or denying access to the protected resource. Upon receiving the access token, a client application can present the access token for accessing the protected resource. The client application can be configured to enforce one or more rules represented in the rule information. The client application can, for example, determine based on the one or more constraints that a condition for granting access is unmet and, in response, cancel a pending access request for the protected resource.