Implementing the OpenSSO Enterprise Solution for Cookie Hijacking Security Issues

The instructions presented in this section provide a solution to the potential risks related to session-cookie hijacking as outlined in this chapter.

• About the Agent Profile

• Configuring the OpenSSO Enterprise Deployment Against Cookie Hijacking

This section also provides the other configuration steps necessary to guard web resources in an OpenSSO Enterprise deployment against the threat of session-cookie hijacking.

After you perform the tasks presented in this chapter, OpenSSO Enterprise starts enforcing restrictions on the sessions it creates. The new configuration enables OpenSSO Enterprise to more closely track aspects of each session. At that point, not only does OpenSSO Enterprise record which agent performed the initial redirection for authentication it also tracks the applications to which an SSO token has been issued. OpenSSO Enterprise uses this information to facilitate the processing of each subsequent request and to prevent unauthorized access to protected web resources.

About the Agent Profile

As a part of agent installation, each agent has its own agent profile. OpenSSO Enterprise server uses each agent's profile to help prevent cookie-hijacking related security issues. You can use the agent profile that was created as part of the initial agent installation, or if you choose, you can update the agent profile. If you choose to update the agent profile, this is the appropriate point to do so.

Configuring the OpenSSO Enterprise Deployment Against Cookie Hijacking

Though each agent has its own agent profile, OpenSSO Enterprise is not configured by default to associate an SSO token to a specific agent profile. The steps in this section enable this type of association. Ultimately, the new configuration introduces “restricted tokens” into the OpenSSO Enterprise deployment, guarding against security issues as described in this chapter.

To Configure the OpenSSO Enterprise Deployment Against Cookie Hijacking

This task description includes configuration information for agents in the Policy Agent 3.0 software set. Perform the task on every agent instance for which you want to enhance security. The best practice is to perform the task on all the agent instances in the OpenSSO Enterprise deployment. As part of the configuration of each agent instance, you must also make specific configurations directly to OpenSSO Enterprise. For this task, be prepared to access the OpenSSO Enterprise Console and a browser that can access a protected web resource.

1. Using a browser, navigate through OpenSSO Enterprise Console to the appropriate agent (J2EE agent or web agent, whichever applies) properties page that you want to configure.

2. Edit the agent properties as described in the substeps that follow:

   Notice, that you must navigate from Console tab to Console tab.

   1. Enable the property labeled Cross Domain SSO (Tab: SSO, Name: com.sun.identity.agents.config.cdsso.enable).

      Setting this property to Enabled, enables CDSSO, which is required for each agent instance since the agent will use functionality provided by the CDSSO feature.

   2. Set the property labeled CDSSO Servlet URL (Tab: SSO, Name: com.sun.identity.agents.config.cdsso.cdcservlet.url) as described in this substep.

      This property stores the URL to which you want to direct users after they log in successfully to a deployment enabled for CDSSO. A feasible setting for this property is as follows:

      https://OpenssoHost.example.com:8080/amserver/cdcservlet

   3. Click Save on the SSO page.

   4. (Conditional) For J2EE agents only, add a new value to the property labeled Custom Properties (Tab: Advanced, Name: com.sun.identity.agents.config.freeformproperties) as described in this step.

      Add the following value to the Custom Properties property:

      com.sun.identity.enableUniqueSSOTokenCookie=true

   5. Click Save on the Advanced page.

3. Restart the container that hosts the agent.

4. Add the required OpenSSO Enterprise properties as described in the substeps that follow.

   1. In the OpenSSO Enterprise Console, navigate back to the top level.

   2. Click Configuration tab.

   3. Click the Servers and Sites subtab.

   4. Click the OpenSSO Enterprise server name that you esny to configure.

   5. Click the Advanced tab.

   6. Add the properties and values as shown in the table that follows.

      Property Name	Property Value
      com.sun.identity.enableUniqueSSOTokenCookie	true
      com.sun.identity.authentication.uniqueCookieName	sunIdentityServerAuthNServer
      com.sun.identity.authentication.uniqueCookieDomain	DomainName. For example, example.com

   7. Click Save.

5. In OpenSSO Enterprise Administration Console, navigate back to the Configuration tab.

6. Select the System subtab.

7. Click Platform.

8. In the Cookie Domain list, change the cookie domain name as described in the substeps that follow.

   This step enables OpenSSO Enterprise to set host-specific session cookies instead of domain-wide session cookies.

   1. Select the default domain, such as “example.com.”

   2. Click Remove.

   3. Enter the name of the machine hosting the OpenSSO Enterprise instance.

      For example:

      OpenssoHost.example.com

   4. Click Add.

9. Ensure that the proper cookies appear in a browser as described in the substeps that follow.

   1. Use a browser to access a resource that is protected by the agent that you just configured.

   2. Check the browser's cookie settings to ensure that the three following cookies appear:

      Cookie Name	Example Cookie Value	Example Cookie Domain Information
      iPlanetDirectoryPro	SSO-token	OpenssoHost.example.com
      iPlanetDirectoryPro	restricted-SSO-token	agentHost.example.com
      sunIdentityServerAuthNServer	https://OpenssoHost.example.com:8080	.example.com