Cross-site Scripting with Smsession Cookie

book

Article ID: 36462

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Introduction: 

This document is regarding smsession string content composition itself.

Question:

Will a smsession cookie be blocked once the cross-scripting check is turned on in Agent ACO?

Environment:  

Windows/Unix

Answer:

Generally speaking, a smsession cookie is not passed directly through a URL via HTTP GET.

Even when occasionally it does, or if a customized redirect is involved, turning on the cross-scripting check should not impact the request itself.

The reason is that Siteminder smsession is a Base64-encoded string. 
Its standard index table can be found over Internet sites and has a 64-character alphabet consisting of upper- and lower-case Roman letters (A–Z, a–z), the numerals (0–9), and the "+" and "/" symbols. The "=" symbol is also used as a special suffix code.

Generally, you will not see any of cross-scripting checking in a client configuration matching the above characters mentioned.

Additional Information:

For Base64-encoding in general,  https://en.wikipedia.org/wiki/Base64

Environment

Release: ETRSBB99000-12.52-SiteMinder-B to B
Component: