Cookie Hijacking Security Issues
This section explains how performing the tasks described in this chapter enables OpenSSO Enterprise to handle the security issues discussed in the preceding section, Defining Key Cookie Hijacking Security Issues.
Note –
When applications use a secure protocol such as HTTPS, the SSO Token is not visible to network snooping. This security issue is labeled “Security Issue: Insecure Protocol” in this chapter. Ensuring that all protected resources use a secure protocol is not a security measure administered using OpenSSO Enterprise, but this a very prudent security measure that you should consider implementing if it is not currently in place.
OpenSSO Enterprise Solution: Shared Session Cookies
The security issue labeled Security Issue: Shared Session Cookies in this chapter pertains to applications sharing the same HTTP or HTTPS session cookie. OpenSSO Enterprise addresses this security threat by issuing a unique SSO token to each Application/Agent after the user has been authenticated. The unique SSO token is referred to as a "restricted token."
The term “Application/Agent,” indicates that the restricted token is inextricably connected to the application and to the agent (which specifically refers to an agent from the Policy Agent 3.0 software set). Since each user's SSO token is unique for each Application/Agent, the increased security provided by this scenario prevents an non-trusted application, impersonating the user, from accessing other applications. More specifically, since the SSO token (restricted token) assigned to a user (as a part of the user's session) is associated with the agent that did the initial redirection for authentication, all subsequent requests are checked to verify that they are coming from the same agent. Thus, if a hacker tries to use the same restricted token to access another application, a security violation is thrown.
What makes the restricted token “restricted” is not related to the syntax of the token. The syntax of a restricted token is the same as that of a regular SSO token. Instead, a specific constraint is associated with the restricted token. This constraint is what ensures that the restricted token is only used for an application that a given agent protects.
OpenSSO Enterprise Solution: A Less Secure Application
The security issue labeled “Security Issue: A Less Secure Application” in this chapter pertains to the potential threat of applications that are “less secure.” With the OpenSSO Enterprise solution, if one application is somehow compromised, the hacker cannot hack into other applications.
OpenSSO Enterprise Solution: Modification of Profile Attributes
The security issue labeled “Security Issue: Access to User Profile Attributes” in this chapter pertains to the threat posed by an untrusted application modifying the profile attributes of the user. The OpenSSO Enterprise solution to this issue does not change the SSO token. The restricted SSO token is similar to the regular SSO token ID. However, the set of Session Service operations that accept restricted SSO token IDs is limited. This functionality enables OpenSSO Enterprise to prevent applications from modifying profile attributes of the user.
Key Aspects of the OpenSSO Enterprise Solution: Cookie Hijacking Security Issues
The following subsections explain some of the key or more complex aspects of the OpenSSO Enterprise solution to the cookie hijacking security issues defined in this chapter.
OpenSSO Enterprise Session Cookies Involved in Issuing Unique SSO Tokens
When OpenSSO Enterprise is configured to issue unique SSO tokens for each Application/Agent, the following cookies are involved:
|
Cookie Name |
Cookie Value (place holder) |
Example Cookie Domain Information |
|---|---|---|
|
iPlanetDirectoryPro |
SSO-token |
OpenssoHost.example.com |
The value of this cookie, which is represented in the preceding table with the place holder SSO-token, is the actual value of the token. The domain is set to the host name of the OpenSSO Enterprise instance where the user was authenticated.
|
Cookie Name |
Cookie Value (place holder) |
Example Cookie Domain Information |
|---|---|---|
|
iPlanetDirectoryPro |
restricted-SSO-token |
agentHost.example.com |
The value of this cookie, which is represented in the preceding table with the place holder restricted-SSO-token, is the actual value of the token. The domain is set to the host name of the agent instance for which the restricted token is issued.
|
Cookie Name |
Example Cookie Value |
Example Cookie Domain Information |
|---|---|---|
|
sunIdentityServerAuthNServer |
https://OpenssoHost.example.com:8080 |
.example.com |
The value of this cookie, which is represented in the preceding table with the example URL https://OpenssoHost.example.com:8080, is the URL of the OpenSSO Enterprise instance where the user was authenticated. The protocol used for this particular example is HTTPS while the port number is a non-default example, 8080. The domain must be set such that it covers all the instances of OpenSSO Enterprise installed on the network.
Enabling OpenSSO Enterprise to Use Unique SSO Tokens
To enable OpenSSO Enterprise to issue unique SSO tokens, you must enable CDSSO. Therefore, though CDSSO is usually enabled for multiple-domain deployments, in this case, CDSSO must be enabled whether the entire deployment is on a single domain or is spread across multiple domains. In no way does enabling CDSSO for a single domain negatively affect the deployment.
The next section describes the steps required to configure OpenSSO Enterprise to prevent session-cookie hijacking from causing a breach of security.
- © 2010, Oracle Corporation and/or its affiliates