Symantec Access Management

Dear All,

I am working on testing scenario, although it might be a very much known case. Scenario is, if I steal a SMSESSION cookie before session time out happens from a given browser say mozilla and trigger new request from another browser in same machine or different machine. I will be getting passed authentication and authorization. While going through few solution such as Transient IP check , session server or devicedna ( as it requires SPS ) which to some extent doesn't suits current infrastructure. It will be really helpful if some solution that can help in avoid this situation.

Thanks in advance,

Ankush

A few more OOTB options are:

• SSL: SSL between browser and webagent virtually ensures that a SSO session cannot be spoofed from a browser session other than the original user's since the cookie is only sent over the wire encrypted.
• Dynamic Agent Key Rollover: Since a cookie encrypted with an out-of-date Agent Key is useless, if you configure your environment to roll over agent keys at short intervals, this should also minimize a hacker's window of opportunity with a given SMSESSION Cookie.
• Secure Cookies: Using the Secure Cookies setting on the web agent will tell the browser to send the SMSESSION cookie only to SSL enabled web servers. This should be used in conjuction with the top item above to ensure the cookie is not sent in the clear.

Hi Ankush,

This has been covered extensively by our KB (Knowledge Base) articles:

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec544015.aspx

For your quick reference here  is the snippet from the KB :

There are several ways to prevent replay of cookies:

1. Enable SSL across your entire site;
   
   
2. Turn on IP checking on the Web Agent with transient IP check;
   
   
3. Set your session timeout values (idle/max) to a "low" value.
   
   
4. Enable the Session Store. The Session Store is used by the Policy Server to centrally manages/store a user's session information. When a user logs out via the Web Agent, the session is marked as invalid by the Policy Server in the Session Store. This keeps anyone else from using that same session information when trying to reply a SMSESSION cookie.
   
   
5. Roll over Web Agent keys regularly;
   
   
6. Set the ACO parameters TransientIDCookies to no and PersistentCookies to yes;
   
   
7. Set the UseHTTPOnlyCookies ACO parameter to yes;

Refer to these Technical Documents for further information related to each point above:

TEC457904
TEC459098
TEC457949
TEC451146
TEC458952

That said, the best and the most full proof solution till date is using "Session Assurance/Device DNA" feature.

This has been covered here : https://www.youtube.com/watch?v=S0Atd_JFML0

I hope all of these should give you enough to implement solution that is best suitable for you.

Cheers,

Ujwol Shrestha

Great List Ujwol, however, i dont see RequireClientIP in that list. after enabling IP Checking there  is a quirk under which the session's ip can be set to a wildcard that matches everything unless that parameter is set to YES.

Hi Josh,

If we set " RequireClientIP" yes, the agent validates that the IP address in the browser cookie matches the IP address of the client. Does it requires any other parameter to be set as well ?

Also, if I am replaying SMSESSION cookie on same machine but different browser , how can I avoid this ?

Thanks & Regards,

Ankush

Ankush, this parameter is only active if you are doing IP checking. It causes a 401 if tthe SiteMinder Web Agent cannot determine the IP for the IP Check

Hi Josh,

Do you mean I need to enable TransientIPCheck or PersistentIPCheck in order to use this paramter ?

Thanks,

Ankush

please double check with CA

Ok let me clarify the "RequireClientIP" a bit.

• SiteMinder Web Agent attempts to resolve the Client IP irrespective of RequireClientIP/TransientIPCheck/PersistentIPCheck settings.
• If RequireClientIP=yes, the agent checks the IP address in the browser.  If the browser IP could not be determined, a 403 error message appears in the browser of the user. This is irrespective of TransientIPCheck/PersistentIPCheck settings.
• If TransientIPCheck or PersistentIPCheck is enabled, browser IP address is stored in HTTP header variable "SM_CLIENT_IP" and this is validated against the IP address stored in a cookie from the last request. If the IP addresses do not match, the agent rejects the request. It is recommended to set RequireClientIP=yes when enabling TransientIPCheck/PersistentIPCheck.

For your other query " If I am replaying SMSESSION cookie on same machine but different browser , how can I avoid this ?"

To detect browser , you will need deviceDNA (session assurance). To my knowledge, there are no alternate feature to support this.

Hope this helps.

Cheers,

Ujwol Shrestha

Hi Ujwol,

I have one more question for you. Say I logged into the application protected by SM and then clickout. Even after request is completed , I access the application and got home page.

We have loguri and other paramter in place. Only thing i am suspecting is SMSESSION is not getting set as LOGOFF , is causing this. Could response between webagent and policy server can lead to above issue.

Thanks & Regards,

Ankush

Hi Ankush,

Sure.. But let us discuss that on separate thread.

I have created a new thread to discuss on this https://communities.ca.com/message/241814351#241814351

Cheers,

Ujwol

Thanks Ujjwol ,

I guess I have already gone through that list earlier. DeviceDna is something I cann't go ahead with exisiting infra.

Is there any other method to avoid foreplay of SMSESSION cookie.

Thanks & Regards,

Ankush

HI Ankush, 

Have you implemented TransientIP check in your infra. How would one can achieve this in the application which is internet facing. Even in the chain of IP what we will receive at webserver will have the IP of ISP - Internet Service Provider not the actual client IP. 

what do you think?

Thanks! Alok

Alok Alok-Kumar

Please open a new thread for a new discussion. We can tag people if we would like to request comments from specific peers.

Here it is.

https://communities.ca.com/message/242030666-have-you-implemented-transientip-check-in-your-infra-how-would-one-can-achieve-this-in-the-application-which-is-internet-facing

Regards

Hubert