Access Gateway and Embedded Service Provider (ESP) of Access Gateway both use session cookies in their communication with the browser. You must protect these session cookies to prevent from being intercepted by hackers.
NOTE:You can enable secure Access Gateway session cookies when only SSL resources exist. If a mix of HTTP and HTTPS proxy services exist, you cannot enable it as it is a global setting.
An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because Access Gateway communicates with its ESP on port 9009, which is a non-secure connection. Because ESP does not know whether Access Gateway is using SSL to communicate with the browsers, ESP does not mark the JSESSION cookie as secure when it creates the cookie. Access Gateway receives the Set-Cookie header from ESP and passes it to the browser as a non-secure clear-text cookie. If an attacker spoofs the domain of Access Gateway, the browser sends the non-secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
To stop this, you must first configure Access Gateway to use SSL. See Section 5.2.1, Enabling SSL between Browsers and Access Gateway.
After you have SSL configured, you must perform the following steps to configure Tomcat to secure the cookie:
On Access Gateway server, log in as an admin user.
Change to the Tomcat configuration directory.
/opt/novell/nam/mag/conf/
In a text editor, open the server.xml file.
Search for the connector on port 9009.
Add the following parameter within the Connector element:
secure="true"
Save the server.xml file.
Restart Tomcat.
Proxy session cookies store authentication information and other information in the temporary memory that is shared between the browser and the proxy. These cookies are deleted when the browser is closed. However if these cookies are sent through a non-secure channel, hackers might intercept the cookies and impersonate a user on websites. you can use the following configuration options:
You can configure Access Gateway to force the HTTP services to authenticate the cookie set with the keyword secure.
To enable this option, perform the following steps:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Select Enable Secure Cookies.
This option is used to secure the cookie when Access Gateway is placed behind an SSL accelerator, such as the Cisco SSL accelerator, and Access Gateway is configured to communicate by using only HTTP.
Cross-site scripting vulnerabilities in web browsers allow malicious sites to grab cookies from a vulnerable site. Intruders might perform session fixation or impersonate the valid user. You can configure Access Gateway to set its authentication cookie with the HttpOnly keyword to prevent scripts from accessing the cookie.
To enable this option, perform the following steps:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Select Force HTTP-Only Cookies.