When running a Web Agent with a Cookie Provider, when the Web Agent redirects the browser to the Cookie Provider, the SMSESSION cookie value gets inserted in the URL itself, considered a security risk.
Someone can get the SMSESSION cookie value and replay it in its browser.
The following Communities discussion covers the topic, as it was published 2 years ago. Are there new settings added to handle this (1)?
Web Agent 12.52SP1CR10 on Apache 2.4.43 on RedHat 6;
At first glance, no, there's no specific implementation outside the suggestions done on the mentioned thread.
Implement SecureURLs to solve this issue.
SecureURLs=Yes
This one is particularly designed to solve the described issue above (2).
(1)
How to address security vulnerability with Cookie Provider redirects?
(2)
Encrypt Query String Parameters in Redirection URLs
Specifies whether the Web Agent encrypts the SiteMinder query
parameters in a redirect URL. You can use this setting to
provide additional security for requested resources protected by
an advanced authentication scheme, Password Services, or when a
request invokes the Cookie Provider.
Follow these steps:
Set the value of the SecureURLs parameter to yes.
To encrypt query string parameters in redirection URLs within a
single sign-on environment, ensure that all Web Agents in the
single sign-on environment have the SecureURL parameter set to
the same value.
If you are using custom FCCs, add the smquerydata directive with
the other FCC directives (such as TARGET) to the custom FCC.
Query string parameters are encrypted in SiteMinder redirection URLs.