Admin ui JSESSIONID Cookie is Not Marked as Secure
search cancel

Admin ui JSESSIONID Cookie is Not Marked as Secure

book

Article ID: 228182

calendar_today

Updated On: 02-25-2025

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Cybersecurity team has flagged the below vulnerability in connection with SiteMinder Admin Console.

It appears that the session cookies are not being marked as secure, even though it was over https.

URL: https://example_admin_ui_host:8443/iam/siteminder/console/
Name: Session Cookie Not Marked as Secure
Severity: High
Confirmed: True

Identified Cookie(s) :
JSESSIONID

Cookie Source :
HTTP Header

Environment

Release : 12.8.x

Component : SITEMINDER WAM UI

Cause

This is out of box design with current 12.8 admin ui.

Expected result should be something like:

Set-Cookie: JSESSIONID=882D4....................695; Path=/iam/siteminder; Secure; HttpOnly

Resolution

Open file  ~/CA/siteminder/adminui/standalone/deployments/iam_siteminder.ear/user_console.war/WEB-INF/web.xml
 
Go to <cookie-config> tag:
Change content below
from:
<cookie-config>
              <http-only>true</http-only>
               <secure>false</secure>
</cookie-config>
 
To:
<cookie-config>
              <http-only>true</http-only>
               <secure>true</secure>
</cookie-config>
 
Secure sub tag must be true.
Recycle admin ui and login admin ui verify.
 
We can't make this as default setting because the WAMUI can be registered in both http and https. When you register it non-ssl port 8080 and if you have secure cookie then login page will get into loop.