Zen_Leow

Access Gateway should include support for SameSite cookie attribute

Discussion created by Zen_Leow on Aug 29, 2018
Latest reply on Sep 18, 2018 by Zen_Leow

Hi CA community,

 

As the lack of SameSite cookie attribute starts becoming security findings by penetration testers, CA SSO should support this attribute as well. Currently even if protected applications create cookies with the the SameSite=strict attribute, Access Gateway actually strips it away. I had a hard time pacifying customer as to why CA security product removes application security protocols.

 

 

For now, via suggestion from CA support, we make do with using the following in httpd.conf of Access Gateway.

 

Header edit Set-Cookie ^(.*)$ "$1;SameSite=Strict"

 

will need to experiment with the regex so that we can have better control.

 

would be good if this can be part of ACO, like UseHTTPOnly and UseSecureCookies attributes.

 

After lodging a case, it is deem as an enhancement request and not a bug fix... So please enhance it.

 

Best regards,

Zen 

Outcomes