Enabling Secure Cookies; Securing The Embedded Service Provider Session Cookie; Section 3.5, "Enabling Secure Cookies - Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010 Manual

All the displayed certificates are added to the trust store.
3f Click Close.
4 (Optional) Set up mutual authentication so that the Web server can verify the proxy service
certificate:
4a Click the Select Certificate icon,
4b Select the certificate you created for the reverse proxy, then click OK.
This is only part of the process. You need to import the trusted root certificate of the CA
that signed the proxy service's certificate to the Web servers assigned to this proxy
service. For instructions, see your Web server documentation.
5 In the Connect Port field, specify the port that your Web server uses for SSL communication.
The following table lists some common servers and their default ports.
Server Type
Web server with HTML content
SSL VPN
WebSphere
JBoss
6 To save your changes to browser cache, click OK.
7 To apply your changes, click the Access Gateways link, then click Update > OK.

3.5 Enabling Secure Cookies

The Access Gateway and the Embedded Service Provider of the Access Gateway both use session
cookies in their communication with the browser. The following sections explain how to protect
these cookies from being intercepted by hackers.
Section 3.5.1, "Securing the Embedded Service Provider Session Cookie," on page 117
Section 3.5.2, "Securing the Proxy Session Cookie," on page 119
For more information about making cookies secure, see the following documents:
Secure attribute for cookies in RFC 2965 (http://www.faqs.org/rfcs/rfc2965.html)
HTTP-only cookies (http://msdn.microsoft.com/en-us/library/ms533046.aspx)

3.5.1 Securing the Embedded Service Provider Session Cookie

An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid
user session. This might happen because the Access Gateway communicates with its Embedded
Service Provider on port 8080, which is a non-secure connection. Because the Embedded Service
Provider does not know whether the Access Gateway is using SSL to communicate with the
browsers, the Embedded Service Provider does not mark the JSESSION cookie as secure when it
creates the cookie. The Access Gateway receives the Set-Cookie header from the Embedded Service
Provider and passes it back to the browser, which means that there is a non-secure, clear-text cookie
in the browser. If an attacker spoofs the domain of the Access Gateway, the browser sends the non-
secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
Non-Secure Port
80
8080
9080
8080
Configuring the Access Gateway for SSL and Other Security Features 117
Secure Port
443
8443
9443
8443