32.16.3 Adding Hashed Cookies into Browsers

All Access Manager session cookies have been hashed to avoid potential session hijacks from someone with access to log files. As a result of this, troubleshooting became difficult as the tracking of a user session on the browser could not be transparently mapped to an entry on the server side logs.

To address this issue, Access Manager provides advanced options to set the hashed cookie on the browser. With this in place, it is easier to map the Access Manager session cookies to the corresponding log files.

Adding Hashed Identity Server Cookies into Browsers

  1. Open the web.xml file.

    Linux: /opt/novell/nids/lib/webapp/WEB-INF/

    Windows: \Program Files\Novell\Tomcat\webapps\nidp\WEBINF\

  2. Uncomment the following configuration:

    <filter>
          <filter-name>DebugFilter</filter-name>
          <description> Filter to set the masked cookies in http response for debugging purpose.</description>
          <filter-class>com.novell.nidp.servlets.filters.debug.MaskedCookiesSetter</filter-class>
        </filter>
        <filter-mapping>
          <filter-name>DebugFilter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
  3. Restart Identity Server.

    Identity Server sets the HJSESSIONID cookie in the browser containing the same hashed value as that in the log references to a session.

Adding Hashed Access Gateway Cookies into Browsers

When you set the NAGGlobalOptions SetHashedCookiesInResponse=on advanced option, Access Gateway sets these hashed values of IPC cookies and AGIDC cookies into the browser with the name IPCZQX0354154289-Hash and AGIDC0354154289-Hash.

Perform the following steps:

  1. Click Devices > Access Gateways > Edit > Advanced Options.

  2. Set NAGGlobalOptions SetHashedCookiesInResponse=on.

Adding Hashed ESP Cookies into Browsers

  1. Open the web.xml file.

    Linux: /opt/novell/nesp/lib/webapp/WEB-INF/

    Windows: \Program Files\Novell\Tomcat\webapps\nesp\WEBINF\

  2. Uncomment the following configuration:

    <filter>
          <filter-name>DebugFilter</filter-name>
          <description> Filter to set the masked cookies in http response for debugging purpose.</description>
          <filter-class>com.novell.nidp.servlets.filters.debug.MaskedCookiesSetter</filter-class>
        </filter>
        <filter-mapping>
          <filter-name>DebugFilter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
  3. Restart ESP.

    ESP sets the HJSESSIONID cookie in the browser containing the same hashed value as that in the log references to a session.