|
|
|
You can reduce the risk that unauthorized users may hijack and attempt to reuse SiteMinder session cookies by having SiteMinder validate the domain of a session cookie with the following parameter:
Instructs the Web Agent to encrypt and store the intended domain of a session cookie within the session cookie itself. When the session cookie is presented for subsequent requests, The Web Agent compares the intended domain stored within the session cookie against the domain of the requested resource. If the domains do not match, the Web Agent rejects the request.
For example, when the value of this parameter is set to yes, session cookies intended for use with operations.example.com would be rejected by the Web Agent if they were presented at finance.example.com.
Default: No
To have SiteMinder validate the domain of a session cookie, set the value of the TrackSessionDomain parameter to yes.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |