search cancel

Cookie Provider sends SMSESSION in query string - security risk


Article ID: 201587


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



When running a Web Agent with a Cookie Provider, when the Web Agent redirects the browser to the Cookie Provider, the SMSESSION cookie value gets inserted in the URL itself, considered a security risk.    
Someone can get the SMSESSION cookie value and replay it in its browser.

The following Communities discussion covers the topic, as it was published 2 years ago. Are there new settings added to handle this (1)?




Web Agent 12.52SP1CR10 on Apache 2.4.43 on RedHat 6;




At first glance, no, there's no specific implementation outside the suggestions done on the mentioned thread.

Implement SecureURLs to solve this issue.


This one is particularly designed to solve the described issue above (2).


Additional Information



    How to address security vulnerability with Cookie Provider redirects?


    Encrypt Query String Parameters in Redirection URLs

      Specifies whether the Web Agent encrypts the SiteMinder query
      parameters in a redirect URL. You can use this setting to
      provide additional security for requested resources protected by
      an advanced authentication scheme, Password Services, or when a
      request invokes the Cookie Provider.

      Follow these steps:

      Set the value of the SecureURLs parameter to yes.

      To encrypt query string parameters in redirection URLs within a
      single sign-on environment, ensure that all Web Agents in the
      single sign-on environment have the SecureURL parameter set to
      the same value.

      If you are using custom FCCs, add the smquerydata directive with
      the other FCC directives (such as TARGET) to the custom FCC.

      Query string parameters are encrypted in SiteMinder redirection URLs.