Protecting SmSession Cookie
Maruthi
In siteminder after authentication happens the siteminder creates a
smsession cookie. This cookie will remain until it gets expired based
on the realm configurations or the browser is closed. We should
prevent in creating a another https session using the same smsession
cookie which was created initially. Thus preventing spoofing
siteminder
There are several mechanisms available, however, to minimize that risk
SSL: SSL between browser and webagent virtually ensures that a
SiteMinder session cannot be spoofed from a browser session other than
the original user's since the cookie is only sent over the wire
encrypted.
IP checking: Since each SmSession Cookie is created with the IP
address of the browser baked into it, you can ensure that a hacker
cannot hijack a SiteMinder session from an IP address other than the
original user's, as long as the IP Checking feature is enabled. This
is done by setting TransientIPCheck to YES for non-Persistent Cookies
and by setting PersistentIPCheck to YES if you have persistant cookies
in your environment. These settings are made in the agent
configuration object.
Realm timeout restriction: by maintaining relatively short Max Session
and Idle Session Timeout values for your SiteMinder Realms, you can
restrict the window of opportunity for a hacker with an SmSession
Cookie to that timeframe. These are configured in the realms where the
resources are protected.
Dynamic Agent Key Rollover: Since a cookie encrypted with an out-of-
date Agent Key is useless, if you configure your environment to roll
over agent keys at short intervals, this should also minimize a
hacker's window of opportunity with a given SmSession Cookie.
Secure Cookies: Using the Secure Cookies setting on the web agent will
tell the browser to send the SMSESSION cookie only to SSL enabled web
servers. This should be used in conjuction with item 1 to ensure the
cookie is not sent in the clear.
Transient Cookies: By default SiteMinder web agents will set cookies
as transient cookies which are only in memory and never written to the
Hard Drive. If you enable Persistant cookies they are written to the
local hard drive and can be more easily retrieved. These are
configured in the agent configuration object.