SMSession Shared Between Users

book

Article ID: 191996

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Web Agent and when user XXXYYY accesses a resource,

then its session gets later used to user AAABBB.

How can we prevent this ?

Environment


Policy Server 12.8SP3 on RedHat 7

Resolution


To prevent SMSESSION to be cached in proxies,

the ExpireForProxy and ProxyTrust will help as stated in the
documentation.

  Configure Agents that Sit behind Proxy Servers
  Customize the Cache-Control and ExpireForProxy Header Settings
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/advanced-configuration-settings/agents-and-proxy-servers.html#concept.dita_0ddef1973865831c1b3ef9847bed8ae11901af59_CustomizetheCacheControlandExpireForProxyHeaderSettings

Read carefully the documentation as other parameters are needed to be
set along with these.

Further, as you have F5 loadbalancer, you might investigate the
stickiness feature on them in order to :

Persistence

  Persistence otherwise known as stickiness is a technique implemented
  by ADCs to ensure requests from a single user are always distributed
  to the server on which they started.

  [...]

  The concept of cookie-based persistence has since been applied to
  application sessions, using session ID information generated by web
  and application servers to ensure that user requests are always
  directed to the same server during the same session.

  [...]

https://www.f5.com/services/resources/white-papers/cookies-sessions-and-persistence

If possbile, to prevent more than 1 IP to use it, you need to
implement IP check for the cookie :

  Verify IP Addresses
    Compare IP Addresses to Prevent Security Breaches

     The IP checking feature requires agent to compare the IP address
     stored in a cookie from the last request against the IP address
     contained in the current request. If the IP addresses do not match,
     the agent rejects the request.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/user-protection/verify-ip-addresses.html

  Configure IP Address Validation

    Specifies an HTTP header for which the agent searches to find the IP
    address of the requestor. If no value is specified for this parameter,
    the default is an empty string. No maximum length is enforced and the
    value can be any string that contains a valid HTTP header value.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product.html