Why can we re-use SMSESSION cookie after Logout ?
Article ID: 14091
Updated On:
Products
Issue/Introduction
Why can we re-use SMSESSION cookie after Logout ?
You could steal a SMSESSION cookie and replay it for future requests in another browser or same browser until the Session expiration.
The Session expiration is located inside the cookie itself and when a Web Agent decodes it, it will verify for the Session Timeout
(Max/Idle) directly from the session, and will not validate it by default against the Policy Server.
The scenario above is not an expected situation, as normally in a secure Network, nobody will steal a SMSESSION cookie.
Environment
Release:
Component: SMPLC
Resolution
You can use the following solutions for this issue :
1. Implement Enhanced Session Assurance with DeviceDNA
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/enhanced-session-assurance-with-devicedna.html
2. Use Persistent session/realms with a short Session Validation Period
For persistent sessions only, you can specify the time period that the Web Agent caches the result of a session validation call to the Policy Server.
Session validation calls perform two functions: informing the Policy Server that a user is still active and checking that the user session is still valid.
After a Logoff, the session is removed from the Session store, so if you attempt to replay a SMSESSION cookie after the validation Period,
the Web Agent will contact the Policy Server and find that the session is invalid and will reject the user session.
3. Enable TransientIPCheck so the agent can compare the IP address stored in a transient cookie from the last request against the IP address contained in the current request. See Compare IP Addresses to Prevent Security Breaches.
Additional Information
Feedback
