Release Automation Session Cookie Configuration

book

Article ID: 144421

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

The session cookie of CA Release Automation is missing the below configuration which get listed in vulnerability reports. Please provide the how can we correct the same and justification in order to keep as is.
  • HTTP only attribute
  • PATH attribute is set to /

Environment

Release : 6.6

Component : CA RELEASE AUTOMATION CORE

Resolution

Please find configuration and justification of above mentioned attributes of session cookie.
  • Configure Authentication Cookie Security
session.cookie.HttpOnly: Defines whether the Session cookie HTTP response header includes the HTTP Only flag. Without this flag, an attacker can retrieve the Session cookie as part of cross site scripting.

Enable session.cookie.HttpOnly
  • Open the distributed.properties file located on the management server at RA_HOME\conf
  • Add the following text to distributed.properties, and configure each parameter according to your security preference:
#set the following to true so the Set-Cookie HTTP response header contains HttpOnly flag
session.cookie.HttpOnly=true
  • Save and Close distributed.properties file
  • Restart the Release Automation Server service for change to take effect
         Note: For more details please reference Configure Authentication Cookie Security mentioned in additional references.


  • Path attribute is set to /
     
Release Automation sub components need to use cookie info like Session-ID internally, so Path attribute is set to / by product design. On the other hand, Domain attribute is not set. so, the cookie can be used in connected domain only. If you want to protect the cookie more, please consider to implement SSL and configure session.cookie.secure parameter in above document.

         Note: For more details please reference Secure Communication mentioned in additional references.
 

Additional Information

Please refer to CA Release Automation Product Security Configuration Documents below