The Access Gateway and the Embedded Service Provider of the Access Gateway both use session cookies in their communication with the browser. The following sections explain how to protect these cookies from being intercepted by hackers.
For more information about making cookies secure, see the following documents:
An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because the Access Gateway communicates with its Embedded Service Provider on port 8080, which is a non-secure connection. Because the Embedded Service Provider does not know whether the Access Gateway is using SSL to communicate with the browsers, the Embedded Service Provider does not mark the JSESSION cookie as secure when it creates the cookie. The Access Gateway receives the Set-Cookie header from the Embedded Service Provider and passes it back to the browser, which means that there is a non-secure, clear-text cookie in the browser. If an attacker spoofs the domain of the Access Gateway, the browser sends the non-secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
To stop this, you must first configure the Access Gateway to use SSL. See Section 1.3, Configuring SSL Communication with Browsers and the Identity Server. After you have SSL configured, you must configure Tomcat to secure the cookie.
On the Access Gateway server, log in as an admin user.
Change to the Tomcat configuration directory.
Linux: /opt/novell/nam/mag/conf/
Windows: /Program Files/Novell/Tomcat/conf
In a text editor, open the server.xml file.
Search for the connector on port 9009.
Add the following parameter within the Connector element:
secure="true"
Save the server.xml file.
Enter one of the following commands to restart Tomcat:
Linux: /etc/init.d/novell-mag restart OR rcnovell-mag restart
Windows: Use the following commands:
net stop apache2.2
net start apache2.2
The proxy session cookies store authentication information and other information in temporary memory that is transferred between the browser and the proxy. These cookies are deleted when the browser is closed. However if these cookies are sent through a non-secure channel, there is a threat of hackers intercepting the cookies and impersonating a user on Web sites. To stop this, you can use the following configuration options:
You can configure the Access Gateway to force the HTTP services to have the authentication cookie set with the keyword secure.
To enable this option:
In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Select the Enable Secure Cookies option, then click OK twice.
Update the Access Gateway.
This option is used to secure the cookie when the Access Gateway is placed behind an SSL accelerator, such as the Cisco SSL accelerator, and the Access Gateway is configured to communicate by using only HTTP.
Cross-site scripting vulnerabilities in Web browsers allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user. You can configure the Access Gateway to set its authentication cookie with the HttpOnly keyword, to prevent scripts from accessing the cookie.
To enable this option:
In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Enable the Force HTTP-Only Cookies option, then click OK twice.
Update the Access Gateway.