Enabling Secure Cookies; Securing The Embedded Service Provider Session Cookie; Section 2.5, "Enabling Secure Cookies - Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE Manual
Access gateway guide
Hide thumbs
Also See for ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE:
- Manual (162 pages) ,
- Installation manual (42 pages) ,
- Quick start manual (24 pages)
Table of Contents
Advertisement
5 In the Connect Port field, specify the port that your Web server uses for SSL communication.
The following table lists some common servers and their default ports.
Server Type
Web server with HTML content
SSL VPN
WebSphere
JBoss
6 To save your changes to browser cache, click OK.
7 To apply your changes, click the Access Gateways link, then click Update > OK.
2.5 Enabling Secure Cookies
The Embedded Service Provider of the Access Gateway and the Access Gateway both use session
cookies in their communication with the browser. The following sections explain how to protect
these cookies from being intercepted by hackers
Section 2.5.1, "Securing the Embedded Service Provider Session Cookie," on page 71
Section 2.5.2, "Securing the Proxy Session Cookie," on page 72
For more information about making cookies secure, see the following documents:
Secure attribute for cookies in RFC 2965 (http://www.faqs.org/rfcs/rfc2965.html)
HTTP-only cookies (http://msdn.microsoft.com/en-us/library/ms533046.aspx)
2.5.1 Securing the Embedded Service Provider Session Cookie
An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid
user session. This might happen because the Access Gateway communicates with its Embedded
Service Provider on port 8080, which is a non-secure connection. Because the Embedded Service
Provider does not know whether the Access Gateway is using SSL to communicate with the
browsers, the Embedded Service Provider does not mark the JSESSION cookie as secure when it
creates the cookie. The Access Gateway receives the Set-Cookie header from the Embedded Service
Provider and passes it back to the browser, which means that there is a non-secure, clear-text cookie
in the browser. If an attacker spoofs the domain of the Access Gateway, the browser sends the non-
secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
To stop this from happening, you must first configure Access Gateway to use SSL. See
"Configuring SSL Communication with the Browsers and the Identity Server," on page
you have SSL configured, create a touch file as follows:
1 On the Linux Access Gateway Appliance, log in as
2 Specify the following command to create the
touch
/var/novell/.setsecureESP
3 Specify the following command to restart Linux Access Gateway:
Non-Secure Port
80
8080
9080
8080
root
.setsecureESP
Secure Port
443
8443
9443
8443
.
file:
Configuring the Access Gateway for SSL
Section 2.3,
66. After
71
Advertisement
Chapters
Table of Contents
Troubleshooting
Subscribe to Our Youtube Channel
Related Manuals for Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE
Related Products for Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE
- NOVELL ACCESS MANAGER 3.1 SP2 - README 2010
- NOVELL ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009
- NOVELL ACCESS MANAGER 3.1 SP1 - AGENT GUIDE
- NOVELL ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER
- NOVELL ACCESS MANAGER 3.1 SP2 - SSL VPN USER GUIDE 2010
- Novell Access Manager 3.1 SP 1
- Novell Access Manager 3.1 SP2 Beta 1
- Novell Access Manager 3.1 SP 2
- NOVELL CLIENT LOGIN EXTENSION 3.7 - ADMINISTRATION
- NOVELL IDENTITY ASSURANCE SOLUTION 3.0.2 - ADMINISTRATION
- NOVELL IDENTITY MANAGER 3.6.1 - STAGING BEST PRACTICES GUIDE 2010
- NOVELL IDENTITY MANAGER 3.6.1 - NULL SERVICE AND LOOPBACK SERVICE DRIVERS
- NOVELL IFOLDER 3 - ADMINISTRATION
- NOVELL IFOLDER 3.8 - CROSS-PLATFORM
- NOVELL POLICIES IN IMANAGER 3.6.1 - 06-05-2009
- NOVELL POLICY IN DESIGNER 3.5 - 09-18-2009
Need help?
Do you have a question about the ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE and is the answer not in the manual?
Questions and answers