How does the ACO parameter customipheader works ?
What is the expected behaviour among these 4 configurations of that
parameter :
1 - when there's no header;
2 - when the header is set with one value;
3 - when the header is set with 2 values;
4 - when the header is set with n > 2 values;
By default, the Web Agent obtains the requesting client's IP address
from the Web Server variable REMOTE_ADDR (Remote Address) that the Web
Server sets for a particular request. The Web Agent stores the
client's IP address as value in the SMSESSION cookie.
The Web Agent only accept 1 single value is motivated by security
concerns.
CustomIPHeader accepts single value because of security attacks
possible if SiteMinder would allows multiple values :
Sample of an attack :
1. "Alice" logs into SiteMinder with IP 111.111.111.111;
2. "Mallory" has IP 2.2.2.2;
3. "Mallory" captures "Alice's" SiteMinder credential and learns her
IP;
4. "Mallory" configures his browser to send "Alice's" cookie along
with the header "x-forwarded-for: 111.111.111.111";
5. Mallory issues a request to MyHR, ENET, or Authoria;
6. Proxy modifies the XFF(X-Forwarded-For) header to be
"111.111.111.111,2.2.2.2";
7. The Web Agent runs the IP check;
8. The credential contains IP 111.111.111.111;
9. The REMOTE_ADDR is Proxy, so XFF will be used;
10. The first 15 characters of XFF are 111.111.111.111;
11. IP check passes, because 111.111.111.111 = 111.111.111.111;
12. Mallory is interactively logged into ACS applications as Alice;