search cancel

How do we prevent a cookie replay attack in Siteminder?

book

Article ID: 108653

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

How do we prevent a cookie replay attack in Siteminder?

Environment

Environment:

Applicable to all the supported components.

Component : Policy Server 12.8.x releases.


 

Resolution

Any application that manages sessions via cookie is subject to replay attacks. Siteminder has multiple embedded features that can help in preventing Cookie Replay. 

1) Implement a Session Store 

2) Configure your Realms to use the Session Store by configuring the Realm to use Persistent Sessions and by configuring the validation period setting. 

3) Configure a Logoff URI. If set with Session Store. The Logoff URI will set the Cookie as LOGGEDEOFF in the session store and it can no longer be replayed.

4) Implement IP Checking (Enable or disable IP checking with persistent and transient cookies):

- Compare IP Addresses to Prevent Security Breaches:

Document reference:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/configuring/web-agent-configuration/user-protection/verify-ip-addresses.html#concept.dita_480b0a5f8c68644cb501c1791049ab20a264b1e7_CompareIPAddressestoPreventSecurityBreaches

5) Use the Session Store to Increase Security for Multi-Domain Single Sign-On:

Document reference:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/session-protection/session-cookie-management.html#concept.dita_e8264b5396e5470619cc9429f5cffc0b66cfb4d7_UsetheSessionStoretoIncreaseSecurityforMultiDomainSingleSignOn

- Detailed documented Information regarding the Session Cookie Management:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/session-protection/session-cookie-management.html#concept.dita_e8264b5396e5470619cc9429f5cffc0b66cfb4d7_StoreSessionCookiesontheSessionStoreforImprovedSecurity