search cancel

Configure IP Checking in Siteminder Correctly.

book

Article ID: 256560

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to another system. To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies.


The IP checking feature requires agent to compare the IP address stored in a cookie from the last request against the IP address contained in the current request. If the IP addresses do not match, the agent rejects the request.

Frequently this setting is configured incorrectly.  The following is the most common misconfiguration:

persistentcookies=no
persistentipcheck=yes
transientipcheck=no

 

Environment

Release : ANY

Cause

 'persistentipcheck' should not be interpreted as 'constant'.  There is no such thing as a 'Sporadic IP Check', or a 'Random IP Check.  Both TransientIPCheck and PersistentIPCheck apply to all requests.  It is a matter of whether we're dealing with PersistentCookies (Stored on the clients disk) or TransientCookies (stored in a memory in a client's Browser Session).

Resolution

Option #1: Using Transient Cookies

persistentcookies=no
persistentipcheck=no
transientipcheck=yes

This is the most common configuration.  Transient Cookies are the default setting.  Here cookies are stored in memory in the browser session.

----------------------

Option #2: Using Persistent Cookies

persistentcookies=yes
persistentipcheck=yes
transientipcheck=no

This is configuration is fairly uncommon.  This allows a session cookie to traverse browser sessions, however the cookie is stored on disk on the client host.

Both configurations will ensure that all subsequent requests originate from the same IP as the original get which generated the SMSESSION cookie to begin with.