Identity Manager semicolon and jsessionid cookie in URL line
search cancel

Identity Manager semicolon and jsessionid cookie in URL line

book

Article ID: 269688

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

After upgrade from 14.3 to 14.4 (14.5) when we navigate through the user application in the browser, the public tasks for Self Registration/Forgot UserID is generating a malformed URI with a missing index.jsp, and extraneous semicolon and jsession cookie on the URL line.

On 14.3/14.4 URL:

https://<hostname>/iam/im/yourimenv/ui7/index.jsp?facesViewId=/app/page/screen/fp_identify_user.jsp

On 14.4/14.5 URL:

https://<hostname>/im/yourimenv/ui7/;jsessionid=02Z0gBdm#########_o6wwnfc9_xLuMa.<hostname>?facesviewId=/app/page/profile/profile.jsp

 

The Web Application Firewall blocks this because it identifies it as "authentication bypass vulnerability via semicolon" citing vulnerability CVE-2020-13933 related to Apache Shiro.

How to fix the malformed URL in 14.4+, assuming that jsessionid cookie and semicolon shouldn't be on the URL line and index.jsp should be there after /ui7/. 

Environment

Identity Manager 14.4/14.5 EAP 7.4.
Current Scenario: Identity Governance and Administration (IGA) V15 on JBoss EAP v8.1.0.

Cause

The issue was caused by a misconfiguration in JBoss/Wildfly that allowed URL rewriting for session tracking.

Resolution

The resolution depends on the product version:

1. For Identity Manager 14.4/14.5 on JBoss EAP 7.4 (Manual Configuration)


To fix the malformed URL and restrict session tracking to HTTP cookies only, manually modify the web.xml file located under iam_im.ear/user_console.war/WEB-INF to include the session configuration:

<session-config>
    <session-timeout>60</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

2. For Identity Governance and Administration (IGA) V15 on JBoss EAP 8.1.0 (Fix Pack 5 Solution)

The specific customers that need to restrict session tracking to HTTP cookies only by adding <tracking-mode>COOKIE</tracking-mode> is now addressed out-of-the-box in IGAxpress V15:
Solution: Starting with Fix Pack 5, the out-of-the-box secure-cookies parameter, which is already set to true on the IGX dashboard, automatically adds the <tracking-mode>COOKIE</tracking-mode> setting into the user_console/WEB-INF/web.xml file.
Benefit: This pre-configured setting prevents URL rewriting for session tracking, eliminating the need for manual customization to achieve this security best practice.
Action: Ensure your IGA V15 environment is updated to Fix Pack 5 or later. The update was released on 12-March-2026.
Important Warning Regarding Manual Customization:



Additional Information

Any manual change or customization made to the web.xml file (e.g., adding the session-config block manually) will be overridden whenever a subsequent IGAxpress Fix Pack or patch is installed in v15. Customers must be prepared to reapply any manual customizations to this file after every patch installation. Since Fix Pack 5 now provides this configuration automatically, manual customization should be avoided for this specific setting.

Powered by Wolken Software