IIS web servers use output caching to store their responses. Responses to agents contain cookies. If the IIS web server sends an authentication response from its output cache, a different user could receive the authentication cookie in the cached response.
For example, user one authenticates successfully and the IIS server caches the response with the cookie. If user two accesses the same resource as user one, the IIS web server could possibly return the response for user one to user two.
The product disables the IIS output cache for items containing cookies by default. To revert to the behavior of the previous versions of the product for backward compatibility, change the value of the following parameter to no:
Specifies if the IIS web server stores responses containing cookies in an output cache. The IIS web server sends cached responses before CA SiteMinder® processing occurs. Disabling the output cache forces IIS to authenticate and authorize each transaction. Setting the value of the parameter to yes prevents one user from accidentally receiving authentication or authorization responses that are meant for another user.
Default: Yes (cache disabled)
CA SiteMinder® Agents for IIS support the Application Request Routing (ARR) feature that IIS 7.x web servers offer. ARR operates on a Microsoft IIS web server similar to the reverse proxy server feature provided by other web server vendors.
All CA SiteMinder® agents process cookies. Situations for controlling when the cookie processing occurs include any of the following conditions:
Controlling when the agent processes the cookie maintains security by enforcing CA SiteMinder® protection levels.
Some deployments of CA SiteMinder® agents require that the CA SiteMinder® cookie processing at a particular point in a transaction. All CA SiteMinder® agents use and process cookies. Some circumstances require processing a cookie earlier in a transaction. Other circumstances require processing a cookie later. Processing cookies at the proper time verifies that CA SiteMinder® properly protects your resources.
Important! Processing cookies at the wrong time affects protection levels. The additional processing that the ARR feature performs requires changing the relative time at which the CA SiteMinder® agent processes the cookie.
Follow these steps:
Specifies if cookies are set at an early point during processing or at a later point. Set the value of this parameter to yes when any of the following conditions exist:
When this value is yes, cookies are committed (earlier) after the web agent processes the request using the OnAuthenticateRequest or OnPostAuthenticateRequest notification methods.
Set the value of this parameter to yes to preserve the behavior of earlier CA SiteMinder® agents for any custom applications requiring early cookie processing.
When this value is no, cookies are committed into the response (later) at the end of the pipeline during the OnSendResponse request notification method.
Limits: Agents for IIS 7.x only. This setting only supports web applications that use Integrated pipeline mode.
Default: No (cookies are set (later) during the OnSendResponse request notification method).
A confirmation message appears.
|
Copyright © 2013 CA.
All rights reserved.
|
|