Web Agent not setting HTTP header with underscore in the name in Apache 2.4

search cancel

book

calendar_today

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On CA Single Sign On Agents (SiteMinder) SITEMINDER

Installing and configuring a Web Agent on Apache 2.4.

Apache 2.4 runs with the PHP module that is expecting some of the default SiteMinder headers like:

SM_USER,
SM_DOMAIN
etc

It also expects some custom headers which have underscore in its name like (e.g

USER_NAME
etc

However, when looking at the HTTP headers using PHP module logs, any of the headers with an underscore in its name is set.

All other headers are working fine.

This is a new feature introduced in Apache 2.4 in multiple modules like mod_cgi, mod_include, mod_isapi, mod_php, etc (1)(2).

This was introduced to prevent cross-site-scripting attacks via header injection (3).

Headers containing invalid characters (including underscores) are now silently dropped.

For the default SiteMinder Headers, specify which naming convention the Web Agent uses for the default HTTP headers with the following parameter:

Specifies if the Web Agent uses underscores in HTTP header names.

LegacyVariables = yes (default)

The HTTP Headers will have underscored (e.g SM_USER, SM_USERDN etc);

LegacyVariables = no

The HTTP headers will not have underscores (e.g SMUSER, SMUSERDN).

LegacyVariables only controls the default SiteMinder HTTP headers.

It doesn't modify the user-defined HTTP headers.

So, to bypass this restriction in Apache 2.4, ensure that the custom HTTP header names do not have any underscore.

Alternatively, refer also to the workaround suggested by Apache, which will basically bypass this new security restriction (2).

This involves setting mod_setenvif and mod_headers which allow accepting these headers with underscore.

thumb_up Yes

thumb_down No