search cancel

Cookie Provider sends SMSESSION in query string - security risk

book

Article ID: 201587

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Web Agent with a Cookie Provider, when the Web Agent redirects the browser to the Cookie Provider, the SMSESSION cookie value gets inserted in the URL itself, considered a security risk.    
      
Someone can get the SMSESSION cookie value and replay it in its browser.

The following Communities discussion covers the topic, as it was published 2 years ago. Are there new settings added to handle this (1)?

 

Environment

 

Web Agent 12.52SP1CR10 on Apache 2.4.43 on RedHat 6;

 

Resolution

 

At first glance, no, there's no specific implementation outside the suggestions done on the mentioned thread.

Implement SecureURLs to solve this issue.

  SecureURLs=Yes
  

This one is particularly designed to solve the described issue above (2).

 

Additional Information

 

(1)

    How to address security vulnerability with Cookie Provider redirects?
 

(2)

    Encrypt Query String Parameters in Redirection URLs

      Specifies whether the Web Agent encrypts the SiteMinder query
      parameters in a redirect URL. You can use this setting to
      provide additional security for requested resources protected by
      an advanced authentication scheme, Password Services, or when a
      request invokes the Cookie Provider.

      Follow these steps:

      Set the value of the SecureURLs parameter to yes.

      To encrypt query string parameters in redirection URLs within a
      single sign-on environment, ensure that all Web Agents in the
      single sign-on environment have the SecureURL parameter set to
      the same value.

      If you are using custom FCCs, add the smquerydata directive with
      the other FCC directives (such as TARGET) to the custom FCC.

      Query string parameters are encrypted in SiteMinder redirection URLs.