A vulnerability was found that the smsession cookie is passed in the URL as below:

“https://www.example.com/siteminderagent/SmMakeCookie.ccc?SMSESSION=-SM-gtRe1W......6h&PERSIST=0&TARGET=-SM-https%3a%2f%2fwww%2eexample%2ecom%2fportal%2fsample%2easpx”

SiteMinder:ALL

This is default product behavior by design.

By default, agents pass SMSESSION cookies in the query string of cookie provider redirect URLs during multi-domain single sign-on operations. To improve security during these operations, set the  StoreSessioninServer  parameter to configure agents and cookie providers to store the session temporarily and pass a GUID that identifies the stored session instead of the session cookie in the redirect URL.

Follow these steps:

• Verify that your environment meets the following conditions:  
  A session store is configured on the Policy Server.  
  A value is set for the DefaultAgentName parameter in agents that are configured as cookie providers.  
• Set the StoreSessioninServer agent configuration parameter to Yes on all agents and cookie providers that are involved in multi-domain single sign-on.

The above step should mitigate exposing SMSESSION cookies in the URL.  If further security is needed, customer can consider implementing ACO parameter SecureURLs. When the ACO parameter SecureURLs=yes, all the query related is encrypted and put into SMQUERYDATA.

Use the Session Store to Increase Security for Multi-Domain Single Sign-On