Access Manager Solution: Cookie Hijacking Security Issues
This section explains how performing the tasks described in this document enables Access Manager to handle the security issues discussed in the preceding section, Defining Key Cookie Hijacking Security Issues.
Note –
When applications use a secure protocol such as HTTPS, the SSO Token is not visible to network snooping. This security issue is labeled “Security Issue: Insecure Protocol” in this document. Ensuring that all protected resources use a secure protocol is not a security measure administered using Access Manager, but this a very prudent security measure that you should consider implementing if it is not currently in place.
Access Manager Solution: Shared Session Cookies
The security issue labeled “Security Issue: Shared Session Cookies” in this document pertains to applications sharing the same HTTP or HTTPS session cookie. Access Manager addresses this security threat by issuing a unique SSO token to each Application/Agent after the user has been authenticated. The unique SSO token is referred to as a "restricted token."
The term “Application/Agent,” indicates that the restricted token is inextricably connected to the application and to the agent (which specifically refers to an agent from the Policy Agent 2.2 software set). Since each user's SSO token is unique for each Application/Agent, the increased security provided by this scenario prevents an untrusted application, impersonating the user, from accessing other applications. More specifically, since the SSO token (restricted token) assigned to a user (as a part of the user's session) is associated with the agent that did the initial redirection for authentication, all subsequent requests are checked to verify that they are coming from the same agent. Thus, if a hacker tries to use the same restricted token to access another application, a security violation is thrown.
What makes the restricted token “restricted” is not related to the syntax of the token. The syntax of a restricted token is the same as that of a regular SSO token. Instead, a specific constraint is associated with the restricted token. This constraint is what ensures that the restricted token is only used for an application that a given agent protects.
Access Manager Solution: A Less Secure Application
The security issue labeled “Security Issue: A Less Secure Application” in this document pertains to the potential threat of applications that are “less secure.” With the Access Manager solution, if one application is somehow compromised, the hacker cannot hack into other applications.
Access Manager Solution: Modification of Profile Attributes
The security issue labeled “Security Issue: Access to User Profile Attributes” in this document pertains to the threat posed by an untrusted application modifying the profile attributes of the user. The Access Manager solution to this issue does not change the SSO token. The restricted SSO token is identical to the regular SSO token ID. However, the set of Session Service operations that accept restricted SSO token IDs is limited. This functionality enables Access Manager to prevent applications from modifying profile attributes of the user.
Key Aspects of the Access Manager Solution: Cookie Hijacking Security Issues
The following subsections explain some of the key or more complex aspects of the Access Manager solution to the cookie hijacking security issues defined in this document.
The Significance of Creating an Agent Profile for Each Agent
A key task presented in this document is the task of ensuring that each agent has its own agent profile. For Policy Agent 2.2, J2EE agents and web agents differ in regard to the agent profile. Each J2EE agent must have a unique agent profile to function. Web agents, on the other hand, have a default value for the agent profile that all web agent instances can share. Therefore, to configure web agents against session-cookie hijacking, you must perform additional configuration steps after a web agent is installed to ensure that each web agent has a unique agent profile.
Basically, all the configuration steps presented in this document rely on each agent having its own agent profile. As explained in Access Manager Solution: Shared Session Cookies, a situation where applications share session cookies presents a security issue. Access Manager addresses this potential security risk by issuing a unique SSO token to each agent. In order to issue a unique SSO token to each agent, each agent must have its own agent profile.
Access Manager Session Cookies Involved in Issuing Unique SSO Tokens
When Access Manager is configured to issue unique SSO tokens for each Application/Agent, the following cookies are involved:
|
Cookie Name |
Cookie Value (place holder) |
Example Cookie Domain Information |
|---|---|---|
|
iPlanetDirectoryPro |
SSO-token |
amHost.example.com |
The value of this cookie, which is represented in the preceding table with the place holder SSO-token, is the actual value of the token. The domain is set to the host name of the Access Manager instance where the user was authenticated.
|
Cookie Name |
Cookie Value (place holder) |
Example Cookie Domain Information |
|---|---|---|
|
iPlanetDirectoryPro |
restricted-SSO-token |
agentHost.example.com |
The value of this cookie, which is represented in the preceding table with the place holder restricted-SSO-token, is the actual value of the token. The domain is set to the host name of the agent instance for which the restricted token is issued.
|
Cookie Name |
Example Cookie Value |
Example Cookie Domain Information |
|---|---|---|
|
sunIdentityServerAuthNServer |
https://amHost.example.com:8080 |
.example.com |
The value of this cookie, which is represented in the preceding table with the example URL https://amHost.example.com:8080, is the URL of the Access Manager instance where the user was authenticated. The protocol used for this particular example is HTTPS while the port number is a non-default example, 8080. The domain must be set such that it covers all the instances of Access Manager installed on the network.
Enabling Access Manager to Use Unique SSO Tokens
To enable Access Manager to issue unique SSO tokens, you must enable CDSSO. Therefore, though CDSSO is usually enabled for multiple-domain deployments, in this case, CDSSO must be enabled whether the entire deployment is on a single domain or is spread across multiple domains. In no way does enabling CDSSO for a single domain negatively affect the deployment.
The next section describes the steps required to configure Access Manager to prevent session-cookie hijacking from causing a breach of security.
- © 2010, Oracle Corporation and/or its affiliates