Access Gateway and Embedded Service Provider of Access Gateway both use session cookies in their communication with the browser. The following sections explain how to protect these cookies from being intercepted by hackers.
For more information about making cookies secure, see the following documents:
An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because Access Gateway communicates with its ESP on port 9009, which is a non-secure connection. Because ESP does not know whether Access Gateway is using SSL to communicate with the browsers, ESP does not mark the JSESSION cookie as secure when it creates the cookie. Access Gateway receives the Set-Cookie header from ESP and passes it to the browser as a non-secure clear-text cookie. If an attacker spoofs the domain of Access Gateway, the browser sends the non-secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
To stop this, you must first configure Access Gateway to use SSL. See Section 17.4, Configuring SSL Communication with Browsers and Access Gateway.
After you have SSL configured, you must configure Tomcat to secure the cookie.
Log in to Access Gateway server as an admin user.
Change to the Tomcat configuration directory.
/opt/novell/nam/mag/conf/
In a text editor, open the server.xml file.
Search for the connector on port 9009.
Add the following parameter within the Connector element:
secure="true"
Save the server.xml file.
Enter one of the following commands to restart Tomcat:
/etc/init.d/novell-mag restart OR rcnovell-mag restart
Preventing Automatically Changing Session ID
Go to Devices > Access Gateway > Edit > Reverse Proxy / Authentication > ESP Global Options.
Set RENAME_SESSIONID to false. By default, this is set to true.
Restart Tomcat on each Identity Server in the cluster.
The proxy session cookies store authentication information and other information in temporary memory that is transferred between the browser and the proxy. These cookies are deleted when the browser is closed. However if these cookies are sent through a non-secure channel, hackers might intercept the cookies and impersonate a user on websites. To stop this, you can use the following configuration options:
You can configure Access Gateway to force the HTTP services to have the authentication cookie set with the keyword secure.
To enable this option, perform the following steps:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Select Enable Secure Cookies, then click OK twice.
Update Access Gateway.
This option is used to secure the cookie when Access Gateway is placed behind an SSL accelerator, such as the Cisco SSL accelerator, and Access Gateway is configured to communicate by using only HTTP.
Cross-site scripting vulnerabilities in web browsers allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate a valid user. You can configure Access Gateway to set its authentication cookie with the HttpOnly keyword to prevent scripts from accessing the cookie.
To enable this option, perform the following steps:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Select Force HTTP-Only Cookies, then click OK > OK.
Update Access Gateway.