Securing SiteMinder Sessions

Discussion created by masvi10 Employee on Mar 6, 2012
Latest reply on Jan 5, 2013 by ranebshekhar

Tuesday Tip by Vijay Masurkar, Principal Support Engineer, for 3-6-2012

Securing SiteMinder Sessions

SiteMinder’s single sign-on feature uses an encrypted tamper-proof HTTP cookie to maintain session state. After a successful user authentication, the session cookie, SMSESSION, is generated. Subsequently, it is updated when it is reused for subsequent access to track user activity for session idle timeout calculations. Note that, by design, a session cookie is meant to be replayed for each request in place of actual credentials to enable secure access to an application without requiring the user to re-enter credential by hand for each request.

To mitigate the risk of session compromise in the SiteMinder environment, here are some measures one may take:

A VPN and/or SSL (Secure Socket Layer) or TLS (Transport Layer Security) connection to the application is recommended to encrypt traffic and stop man-in-the-middle attacks. Use the following web agent settings as needed:

- UseSecureCookie
- UseSecureCPCookies

Use IP Checking where possible to block SMSESSION cookies being sent from IP addresses that do not match the address they were issued to. All SMSESSION cookies contain the client IP address pulled from the web server during authentication. Web agent settings to use as deemed appropriate:

- TransientIPCheck
- PersistentIPCheck
- ProxyDefinition
- CustomIPHeader

Session Timeouts. Use a SiteMinder realm’s max and idle session timeouts to control how long a session is active.

Lock the SiteMinder session cookie to a specific cookie domain. The setting TrackSessionDomain=”YES” to enable agents to set the request’s cookie domain inside the encrypted SMSESSION cookie when setting a new cookie.

Configure a SiteMinder session store and use persistent realms to decrease risk of session replay after logout.

For further details on each of the points above, please refer to the SiteMinder's Web Agent Configuration Guide.