The following subsections explain some of the key or more complex aspects of the OpenSSO Enterprise solution to the cookie hijacking security issues defined in this chapter.
When OpenSSO Enterprise is configured to issue unique SSO tokens for each Application/Agent, the following cookies are involved:
Cookie Name |
Cookie Value (place holder) |
Example Cookie Domain Information |
---|---|---|
iPlanetDirectoryPro |
SSO-token |
OpenssoHost.example.com |
The value of this cookie, which is represented in the preceding table with the place holder SSO-token, is the actual value of the token. The domain is set to the host name of the OpenSSO Enterprise instance where the user was authenticated.
Cookie Name |
Cookie Value (place holder) |
Example Cookie Domain Information |
---|---|---|
iPlanetDirectoryPro |
restricted-SSO-token |
agentHost.example.com |
The value of this cookie, which is represented in the preceding table with the place holder restricted-SSO-token, is the actual value of the token. The domain is set to the host name of the agent instance for which the restricted token is issued.
Cookie Name |
Example Cookie Value |
Example Cookie Domain Information |
---|---|---|
sunIdentityServerAuthNServer |
https://OpenssoHost.example.com:8080 |
.example.com |
The value of this cookie, which is represented in the preceding table with the example URL https://OpenssoHost.example.com:8080, is the URL of the OpenSSO Enterprise instance where the user was authenticated. The protocol used for this particular example is HTTPS while the port number is a non-default example, 8080. The domain must be set such that it covers all the instances of OpenSSO Enterprise installed on the network.
To enable OpenSSO Enterprise to issue unique SSO tokens, you must enable CDSSO. Therefore, though CDSSO is usually enabled for multiple-domain deployments, in this case, CDSSO must be enabled whether the entire deployment is on a single domain or is spread across multiple domains. In no way does enabling CDSSO for a single domain negatively affect the deployment.
The next section describes the steps required to configure OpenSSO Enterprise to prevent session-cookie hijacking from causing a breach of security.