updates

craigshoemaker · craigshoemaker · commit 7ed4b2ecd3ce · 2025-02-19T15:46:54.000-07:00
diff --git a/articles/container-apps/TOC.yml b/articles/container-apps/TOC.yml
@@ -64,9 +64,9 @@
       href: jobs.md
     - name: Dynamic sessions
       items:
-      - name: Sessions overview
+      - name: Overview
         href: sessions.md
-      - name: Sessions usage
+      - name: Usage
         href: sessions-usage.md
       - name: Session pools
         href: session-pool.md
diff --git a/articles/container-apps/session-pool.md b/articles/container-apps/session-pool.md
@@ -11,7 +11,7 @@ ms.author: cshoe
 
 # Use session pools in Azure Container Apps
 
-Azure Container Apps sessions are secure sandboxed environments ideal for running code or applications that require strong isolation from other workloads. Sessions are managed by a pool which provides immediate access to new sessions, and is responsible for handling the lifecycle of each session.
+Session pools provide subsecond session allocation times for new pools, and is responsible for the management and lifecycle of each session.
 
 ## Configuration
 
diff --git a/articles/container-apps/sessions-usage.md b/articles/container-apps/sessions-usage.md
@@ -12,7 +12,7 @@ ms.custom: references_regions, ignite-2024
 
 # Use dynamic sessions in Azure Container Apps
 
-Azure Container Apps dynamic [sessions](sessions.md) offer isolated, secure contexts when you need to run code or applications separately from other workloads. Sessions run inside a [session pool](session-pool.md) which provides immediate access to new and existing sessions.
+Azure Container Apps dynamic [sessions](sessions.md) offer isolated, secure contexts when you need to run code or applications separately from other workloads. Sessions run inside a [session pool](session-pool.md) which provides immediate access to new and existing sessions. These sessions are ideal for scenarios where user-generated input needs to be processed in a controlled manner or when integrating third-party services that require executing code in an isolated environment.
 
 This article shows you how to manage and interact with dynamic sessions.
 
@@ -30,13 +30,11 @@ For more information managing session pools, see [session pools management endpo
 
 ## Forwarding requests to a session's container
 
-To send a request into a session's container, you use the management endpoint as the root for your request.
-
-Anything in the path following the base pool management endpoint is forwarded to the session's container.
+To send a request into a session's container, you use the management endpoint as the root for your request. Anything in the path following the base pool management endpoint is forwarded to the session's container.
 
 For example, if you make a call to: `<POOL_MANAGEMENT_ENDPOINT>/api/uploadfile`, the request is routed to the session's container at `0.0.0.0:<TARGET_PORT>/api/uploadfile`.
 
-## Continuous session interaction
+## Continuous interaction
 
 As you continue to make calls to the same session, the session remains [allocated](sessions.md#session-lifecycle) in the pool. Once there are no requests to the session after the cooldown period has elapsed, the session is automatically destroyed.
 
@@ -80,7 +78,7 @@ The identifier must be a string that is 4 to 128 characters long and can contain
 
 ## Work with files
 
-You can upload and download files and list all files to a session.
+You can upload and download files, and list all the files in a session.
 
 ### Upload a file
 
@@ -169,6 +167,20 @@ Only configure or upload sensitive data to a session if you trust the users of t
 
 By default, sessions are prevented from making outbound network requests. You can control network access by configuring network status settings on the session pool.
 
+- **Use strong, unique session identifiers**: Always generate session identifiers that are long and complex to prevent brute-force attacks. Use cryptographic algorithms to create identifiers that are hard to guess.
+
+- **Limit session visibility**: Set strict access controls to ensure that session identifiers are only visible to the session pool. Avoid exposing session IDs in URLs or logs.
+
+- **Implement short expiration times**: Configure session identifiers to expire after a short period of inactivity. This approach minimizes the risk of sessions being hijacked after a user has finished interacting with your application.
+
+- **Regularly rotate session credentials**: Periodically review and update the credentials associated with your sessions. Rotation decreases the risk of unauthorized access.
+
+- **Utilize secure transmission protocols**: Always use HTTPS to encrypt data in transit, including session identifiers. This approach protects against man-in-the-middle attacks.
+
+- **Monitor session activity**: Implement logging and monitoring to track session activities. Use these logs to identify unusual patterns or potential security breaches.
+
+- **Validate user input**: Treat all user input as dangerous. Use input validation and sanitation techniques to protect against injection attacks and ensure that only trusted data is processed.
+
 To fully secure your sessions, you can:
 
 - [Use Microsoft Entra ID authentication and authorization](#authentication)
diff --git a/articles/container-apps/sessions.md b/articles/container-apps/sessions.md
@@ -28,27 +28,27 @@ With sessions, you get:
 
 * **Scalable**: Sessions can run at a high scale. You can run hundreds or thousands of sessions concurrently.
 
+* **API access**: Sessions are exposed to your application via a single HTTP endpoint.
+
 ## Session
 
 A session is a sandboxed environment that runs untrusted code or your application.
 
-Each session is isolated from all other sessions and from the host environment with a [Hyper-V](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) sandbox. Hyper-V technology is at the foundation for session isolation, ensuring that different sessions operate independently with the necessary security boundaries in place.
-
-For enhanced network security, you can enable session network isolation on your session.
+Each session is isolated from all other sessions and from the host environment with a [Hyper-V](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) sandbox. Hyper-V technology is at the foundation for session isolation, ensuring that different sessions operate independently with the necessary security boundaries in place. For enhanced network security, you can enable session network isolation on your session.
 
-Each session executes in the context of a session pool.
+There are two different types of sessions.
 
 ## Session types
 
-Sessions are exposed to your application via a single HTTP endpoint.
-
 Azure Container Apps supports two types of sessions:
 
 | Type | Description | Billing model |
 |------|-------------|---------------|
 | [Code interpreter sessions](./sessions-code-interpreter.md) | Fully managed code interpreter which allows you to run code in a sandbox preinstalled with popular libraries.<br><br>Ideal for running untrusted code, such as code provided by users of your application or code generated by a large language model (LLM).<br><br>You can use the session out-of-the-box or with a [language model framework](./sessions-code-interpreter.md#llm-framework-integrations). | Per session (consumption) |
 | [Custom container sessions](./sessions-custom-container.md) | Bring-your-own-container option where you run your own container images in secure, isolated sandboxes.<br><br>This approach is a good option if you want to run a custom code interpreter for a language that isn't supported out of the box, or workloads that require strong isolation. | Container Apps Dedicated Plan |
 
+Each session, regardless of type, runs in the context of a session pool.
+
 ## Session pools
 
 To provide subsecond session allocation times, Azure Container Apps maintains a pool of ready but unallocated sessions. When your application makes a request for a session that hasn't been used before, the pool automatically assigns a new session for you. As sessions are allocated, the pool is automatically replenished to maintain a constant number of ready sessions.
@@ -94,7 +94,18 @@ Dynamic sessions are available in the following regions:
 
 Custom container sessions are billed based on the resources consumed by the session pool. For more information, see [Azure Container Apps billing](billing.md#custom-container).
 
-## Next steps
+## Security
+
+Use the following methods to help harden the security of your dynamic sessions.
+
+* **Secure identifiers**: Use secure [session identifiers](sessions-usage.md#identifiers) at all times. Generate session identifiers using cryptographic methods to ensure unique and unpredictable values. Avoid using sequential IDs that could be guessed by an attacker.  
+
+* **Use HTTPS**: Always use HTTPS to encrypt data in transit. This protects session identifiers and any sensitive data exchanged between the client and server from being intercepted.
+
+* **Limit session lifetime**: Implement timeouts for sessions. For instance, allow a maximum of 15 minutes of inactivity before the session is automatically terminated. This helps mitigate risks due to a lost or unattended device.
+
+* **Regular audits and monitoring**: Periodically review session management practices and logs. Implement monitoring tools to alert suspicious activities, such as repeated failed login attempts or abnormal session lengths.
+
+## Related content
 
-> [!div class="nextstepaction"]
-> [Use serverless containers](start-serverless-containers.md)
+* [Session pools](./session-pool.md)
