Admin ui JSESSIONID Cookie is Not Marked as Secure
Article ID: 228182
Updated On:
Products
SITEMINDER
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
Issue/Introduction
Cybersecurity team has flagged the below vulnerability in connection with SiteMinder Admin Console.
It appears that the session cookies are not being marked as secure, even though it was over https.
URL: https://admin_ui_host:8443/iam/siteminder/console/
Name: Session Cookie Not Marked as Secure
Severity: High
Confirmed: True
Identified Cookie(s) :
JSESSIONID
Cookie Source :
HTTP Header
Environment
Release : 12.8.05
Component : SITEMINDER WAM UI
Cause
This is out of box design with current 12.8 admin ui.
Expected result should be something like:
Set-Cookie: JSESSIONID=882D48C8842EA82E3F3AFACC4425A695; Path=/iam/siteminder; Secure; HttpOnly
Resolution
Open file ~/CA/siteminder/adminui/standalone/deployments/iam_siteminder.ear/user_console.war/WEB-INF/web.xml
Go to <cookie-config> tag:
Change content below
from:
<cookie-config>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
To:
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
Secure sub tag must be true.
Recycle admin ui and login admin ui verify.
Additional Information
DE519825
Attachments
Feedback
Yes
No
Powered by
