Key Aspects of the OpenSSO Enterprise Solution: Cookie Hijacking Security Issues (Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide)

Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Previous: OpenSSO Enterprise Solution: Modification of Profile Attributes
Next: Implementing the OpenSSO Enterprise Solution for Cookie Hijacking Security Issues

Key Aspects of the OpenSSO Enterprise Solution: Cookie Hijacking Security Issues

The following subsections explain some of the key or more complex aspects of the OpenSSO Enterprise solution to the cookie hijacking security issues defined in this chapter.

OpenSSO Enterprise Session Cookies Involved in Issuing Unique SSO Tokens

When OpenSSO Enterprise is configured to issue unique SSO tokens for each Application/Agent, the following cookies are involved:

Cookie Name	Cookie Value (place holder)	Example Cookie Domain Information
iPlanetDirectoryPro	`SSO-token`	`OpenssoHost.example.com`

The value of this cookie, which is represented in the preceding table with the place holder SSO-token, is the actual value of the token. The domain is set to the host name of the OpenSSO Enterprise instance where the user was authenticated.

Cookie Name	Cookie Value (place holder)	Example Cookie Domain Information
iPlanetDirectoryPro	`restricted-SSO-token`	`agentHost.example.com`

The value of this cookie, which is represented in the preceding table with the place holder restricted-SSO-token, is the actual value of the token. The domain is set to the host name of the agent instance for which the restricted token is issued.

Cookie Name	Example Cookie Value	Example Cookie Domain Information
sunIdentityServerAuthNServer	`https://OpenssoHost.example.com:8080`	`.example.com`

The value of this cookie, which is represented in the preceding table with the example URL https://OpenssoHost.example.com:8080, is the URL of the OpenSSO Enterprise instance where the user was authenticated. The protocol used for this particular example is HTTPS while the port number is a non-default example, 8080. The domain must be set such that it covers all the instances of OpenSSO Enterprise installed on the network.

Enabling OpenSSO Enterprise to Use Unique SSO Tokens

To enable OpenSSO Enterprise to issue unique SSO tokens, you must enable CDSSO. Therefore, though CDSSO is usually enabled for multiple-domain deployments, in this case, CDSSO must be enabled whether the entire deployment is on a single domain or is spread across multiple domains. In no way does enabling CDSSO for a single domain negatively affect the deployment.

The next section describes the steps required to configure OpenSSO Enterprise to prevent session-cookie hijacking from causing a breach of security.