How do I prevent a cookie replay attack in Siteminder?
Article ID: 108653
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
How do I prevent a cookie replay attack in Siteminder?
Environment
Policy Server version: 12.5.2
Resolution
Any application that manages sessions via cookie is subject to replay attacks. Siteminder has multiple embedded features that can help in preventing Cookie Replay.
1) Implement a Session Store
2) Configure your Realms to use the Session Store by configuring the Realm to use Persistent Sessions and by configuring the validation period setting.
3) Configure a Logoff URI. If set with Session Store. The Logoff URI will set the Cookie as LOGGEDEOFF in the session store and it can no longer be replayed.
Please find additional information regarding this issue.
"https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/PDF/siteminder_wa_config_enu.pdf"
Chapter 8 page 108 (Store Session Cookies on the Session Store for Improved Security)
1) Implement a Session Store
2) Configure your Realms to use the Session Store by configuring the Realm to use Persistent Sessions and by configuring the validation period setting.
3) Configure a Logoff URI. If set with Session Store. The Logoff URI will set the Cookie as LOGGEDEOFF in the session store and it can no longer be replayed.
Please find additional information regarding this issue.
"https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/PDF/siteminder_wa_config_enu.pdf"
Chapter 8 page 108 (Store Session Cookies on the Session Store for Improved Security)
Feedback
Yes
No
Powered by
