SRG-APP-000439-WSR-000153
Article ID: 205009
Updated On:
Products
CA Infrastructure Management
CA Performance Management - Usage and Administration
DX NetOps
Issue/Introduction
SRG-APP-000439-WSR-000153
Rule Title: Web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.
Discussion: A cookie is used when a web server needs to share data with the client's browser. The data is often used to remember the client when the client returns to the hosted application at a later date. A session cookie is a special type of cookie used to remember the client during the session. The cookie will contain the session identifier (ID) and may contain authentication data to the hosted application. To protect this data from easily being compromised, the cookie can be encrypted.
Environment
Dx NetOps Performance Management 3.7
Cause
Resolution
We cannot encrypt JSESSIONID. That is controlled by jetty. JSESSIONID is jetty's session ID, it's an ID that the web server uses to store session info on the web server. We store the UserSession class object in there along with other stuff. It is however, a requirement for NetOps Performance Management to work. However, the login token (CADefaultCookie) is encrypted.
Feedback
Yes
No
Powered by
