Symantec Access Management

  • 1.  Access Gateway should include support for SameSite cookie attribute

    Posted Aug 29, 2018 05:00 PM

    Hi CA community,

     

    As the lack of SameSite cookie attribute starts becoming security findings by penetration testers, CA SSO should support this attribute as well. Currently even if protected applications create cookies with the the SameSite=strict attribute, Access Gateway actually strips it away. I had a hard time pacifying customer as to why CA security product removes application security protocols.

     

     

    For now, via suggestion from CA support, we make do with using the following in httpd.conf of Access Gateway.

     

    Header edit Set-Cookie ^(.*)$ "$1;SameSite=Strict"

     

    will need to experiment with the regex so that we can have better control.

     

    would be good if this can be part of ACO, like UseHTTPOnly and UseSecureCookies attributes.

     

    After lodging a case, it is deem as an enhancement request and not a bug fix... So please enhance it.

     

    Best regards,

    Zen 



  • 2.  Re: Access Gateway should include support for SameSite cookie attribute

    Broadcom Employee
    Posted Aug 29, 2018 06:18 PM

    Hi Zen, let me re-cast this one as an "Idea" rather than a "Document" the Idea ones are the ones they select, and it allows community members to vote on them too. 

     

    I'll post a link here - but it will also appear in the feed. 

     

    Cheers - Mark



  • 3.  Re: Access Gateway should include support for SameSite cookie attribute

    Broadcom Employee
    Posted Aug 29, 2018 06:23 PM

    Here you go, and I added a bit of comments too - the feature is good for all SSO not just Access Gateway, and there are similar issues with adding some security headers  as well - luckily in Access Gateway there are workarounds where httpd.conf mod_header can be used to add the attributes, in a normal webagent that is not possible: 

     

    Access Gateway should include support for SameSite cookie attribute 

     

    Cheers - Mark



  • 4.  Re: Access Gateway should include support for SameSite cookie attribute

    Posted Sep 18, 2018 02:12 AM

    An long overdue thank you note from me.

    Thank you Mark.