Cookie Hijacking is a concept where an attacker steals a valid browser session cookie, then submits requests to web resources using the other users browser session cookie to impersonate the original user and gain access to the protected resource.   In many cases, an organization may want to prevent 'Cookie Hijacking' of the Siteminder SMSESSION cookie.

Cookie Hijacking can be prevented in Siteminder by using IP Checking.  When IP Checking is enabled, the IP address of the user is recorded in the SMSESSION cookie at the time of successful authentication and authorization.  Each subsequent request with that cookie will need to come from the same IP address.  If an SMSESSION cookie is hi-jacked, the request with that cookie will be rejected if the request comes from a different IP address.

This solution presents issues if the organization has decided to implement a proxy server between the web browser (client) and the web server/web agent or Access Gateway server.  The request from the proxy server would contain the proxy server ip address.  So all requests would come from the same IP address.

Background:

We have IP Validation configured to use the x-forwarded-for header.  This means the session cookie IP is validated against the x-forwarded-for IP.

Issue:  During a user session, some of the users connecting to our site have to re-authenticate because the client IP changes and no longer matches the SMSESSION cookie IP.  I do not know why a client IP would change, maybe some kind of load balancing?  In any event, the number of users experiencing is larger than I would expect.

Key Agent settings:  (All settings attached)

RequireClientIP:  yes

CustomIpHeader:  HTTP_X_FORWARDED_FOR

PrxyDefinition:  AUTO

Question:  Are there are some additional settings that could mitigate this that I am missing because we would like to keep IP Validation using the x-forwarded-for IP in place?  Please advise.

Product: Siteminder 

Component: Web Agent and Access Gateway

Version: ANY

Operating System: ANY

When a request goes through proxy server or load balancer, the request is forwarded to the back-end server using the IP address of the load balancer or proxy server.  If IP Checking were enabled under these conditions than all requests would be coming from the same IP Address.  All SMSESSION cookies would be tied to the IP Address of the load balancer or proxy server.  An attacker coming through the load balancer would have the same IP address in the request as is stored in the stolen cookie.

Implement the 'X-Forwarded-For' HTTP Header for IP Checking.

1) Configure the load balancer or proxy server to populate the end user IP address in the 'X-Forwarded-for' header. (See 3rd party load balancer or proxy server documentation or Admin).

2) Configure the Web Agent or Access Gateway to use an HTTP header value instead of requestors IP when a request comes from a specific load balancer or proxy server

a) Log onto the Siteminder AdminUI

b) Modify the Agent Configuration Object (ACO)

c) Set the following value:

ProxyDefinition = <Proxy/LoadBalancer_IP>

3) Configure the Web Agent or Access Gateway to look to a specific header value (e.g. X-Forwarded-For) for the end user IP Address when a request comes from specific load balancer or proxy server 

a) Log onto the Siteminder AdminUI

b) Modify the Agent Configuration Object (ACO)

c) Set the following value:

CustomIpHeader = X-Forwarded-for

4) Configure IP Checking

a) Log onto the Siteminder AdminUI

b) Modify the Agent Configuration Object (ACO)

c) Configure either PersistentIPCheck or TransientPCheck (not both)

• • If you enabled PersistentCookies, set PersistentIPCheck = yes.
  • If you did not enable PersistentCookies, set TransientIPCheck = yes.

Now what will happen is, if a request comes from the IP address of the load balancer/proxy server then the web agent will look to the 'X-Forwarded-For' header to read the client IP address.  The agent uses the IP from X-Forwarded-For during the initial authentication and authorization.  This is the IP that is tied to the session. 

When new requests are sent with that same SMSESSION cookie, If the IP in the X-Forwarded-For matches the IP address in the SMSESSION cookie, then the cookie is accepted.  IF the IP's don't match, the request is rejected and the user is redirected to the authentication scheme.  

Configure IP Address Validation

Header Variables and End-User IP Address Validation