Administrative UI : Vulnerability : Lack of Cookie Attribute - Secure

book

Article ID: 4949

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

The Session cookies for Admin UI (JSESSIONID) are not configured to restrict access via unencrypted channels. 

The ‘secure’ directive instructs the user's browser to send the cookie only over SSL/TLS encrypted channels.

Secure is not set for the JSESSIONID cookie. 

Environment

Administrative UI : R12.52 SP2

Resolution

You can enable the Secure and the HttpOnly flag by updating the following element in web.xml file as below: 

 

The location of web.xml file is : 

12.52SP2

<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF 

 

12.52SP1:

This version is not affected with this vulnerability and doesn't have this as configuration option.

 

Element to modify 

=============== 

<cookie-config> 

<http-only>30</http-only> 

<secure>true</secure> 

</cookie-config> 

 

Note :

  • You will need to recycle Admin UI service after making the change.