Extract HTTP Headers Using ASP

Web Agent Guides › Web Agent Configuration Guide › Protecting Web Applications › SiteMinder Default HTTP Headers › Example Applications that Use SiteMinder Default HTTP Headers › Extract HTTP Headers Using ASP

Extract HTTP Headers Using ASP

To access the default HTTP headers, you can extract their values from the environment and display them using an ASP script.

To use an ASP script to return SiteMinder variables, your script has to include the ALL_HTTP header, which retrieves all the environment variables, and code that parses out the SiteMinder variables. Use the following script as an example.

<HTML>
<HEAD><TITLE> Test Web Agent Headers </TITLE></HEAD>
<BODY BGCOLOR=#ffffff>
<TABLE BORDER=1>
<TR><TD VALIGN=TOP><B>Variable</B></TD><TD VALIGN=TOP><B>Value</B></TD></TR>
<% For Each key in Request.ServerVariables %>
<TR>
<TD><% = key %></TD>
<TD>
<%
if Request.ServerVariables(key) = "" Then
if GetAttribute(key) = "" Then
Response.Write "&nbsp" ' To force border around table cell
else
Response.Write GetAttribute(key)
end if
else
Response.Write Request.ServerVariables(key)
end if
Response.Write "</TD>"
%>
</TR>
<% Next %>
</TABLE>

<% Function GetAttribute(AttrName)
		Dim AllAttrs
		Dim RealAttrName
		Dim Location
		Dim Result

		AllAttrs = Request.ServerVariables("ALL_HTTP")
		RealAttrName = AttrName

		Location = instr(AllAttrs, RealAttrName & ":")

		if Location <= 0 then
		GetAttribute = ""
		Exit Function
		end if

		Result = mid(AllAttrs, Location + Len(RealAttrName) + 1)

		Location = instr(Result, chr(10))
		if Location <= 0 then Location = len(Result) + 1

		GetAttribute = left(Result, Location - 1)
End Function %>

Header Variables and End-User IP Address Validation

When a SiteMinder Web Agent receives a request that follows an initial request by that same user, the Agent validates the session cookie sent with the subsequent request by comparing the IP address of the requesting user with the IP address encrypted inside the session cookie. The address inside the cookie is generated by the Agent during the user’s initial request.

Mechanisms used to balance and manage incoming network traffic, such as firewalls, load balancers, cache devices, and proxies can alter the user’s IP address or make it appear as if all incoming requests are coming from a single or small group of IP addresses. As a result, the Web Agent’s IP checking becomes ineffective. The Web Agent can now perform IP checking in these network environments using a custom HTTP header and a configurable list of safe proxy IP addresses.

The following table lists the terminology for new IP checking functionality.

Term	Definition
HTTP Request Header	A name/value pair that describes a single element of an HTTP request.
Custom IP Header	A user-defined HTTP request header used by intermediate HTTP network applications or hardware devices to store the requestor’s IP address.
IP Checking	Feature that enables the Web Agent to check requests for authenticity by comparing the REMOTE_ADDR in the request with the REMOTE_ADDR value stored in the SMSESSION cookie, after an initial request. This feature is also known as IP validation.
REMOTE_ADDR	web server variable representing the IP address of the HTTP client making a request to the web server. Also known as REMOTE_IP or CLIENT_IP. This differs from the Requestor IP Address when a proxy server, NAT firewall, or other network service or device sits between the requestor and the target web server.
Requestor	The initiator of an HTTP request, typically a user at a browser.
Requestor IP Address	The IP address of the user making the original HTTP request.
Single Sign-on	Feature that requires a user to enter credentials for secure access to a protected Web site only once during a session.
SMSESSION cookie	HTTP mechanism used by Web Agents to track single sign-on state.

How Custom Headers Validate IP Addresses

The Web Agent can now use a custom HTTP header to determine a user’s IP address instead of using the REMOTE_ADDR variable. If a proxy or other device sets a custom client IP header and the Web Agent is configured to look for that header on an incoming request, the Agent uses that header as the source of the client IP information.

In addition to configuring a custom header, you can set up a list of proxy IP addresses. If the REMOTE_ADDR matches an address in the proxy list, the Web Agent retrieves the user’s IP address from the custom header. Otherwise, the user’s IP address is obtained from the REMOTE_ADDR.

After the Web Agent resolves the requestor’s IP address, the address is stored and used for request processing. If an address cannot be resolved, the IP address is set to unknown.

The Web Agent logs where the client IP address was resolved from to facilitate any debugging that may be necessary.

Configure IP Address Validation

You can implement IP‑address checking using the following parameters:

CustomIpHeader

Specifies an HTTP header for which the agent searches to find the IP address of the requestor. If no value is specified for this parameter, the default is an empty string. No maximum length is enforced and the value can be any string that contains a valid HTTP header value.

Default: No

Example: HTTP_ORIGINAL_IP

ProxyDefinition

Specifies the IP address of a proxy (such as a cache device) that requires the use of a custom HTTP header. This custom header helps the agent resolve the IP addresses of the requester.

Default: No default

Limits: The string must contain an IP address. Do not use server names or fully qualified DNS host names.

RequireClientIP

Specifies if the agent validates the IP address of the client. When this value is set to yes, the agent validates that the IP address in the browser cookie matches the IP address of the client. If the addresses do not match, a 403 error message appears in the browser of the user. If the cookie does not contain an IP address, then users are prompted for their credentials.

Default: No (client IP addresses not validated).

Note: These settings are independent of the TransientIPCheck and PersistentIPCheck parameters.

IP Address Validation with Previous Web Agent Releases

In an environment of 6.x QMR 2 or 3 Web Agents and older Agents, single sign-on may be affected if IP checking is configured.

Web Agents prior to v6.x QMR 2 and 5.x QMR 7 will not be able to resolve the requestor IP address and as a result, SMSESSION cookies created by those Web Agents may be discarded by 6.x QMR 2 or 3 Web Agents. This includes custom Agents using the SDK to generate SMSESSION cookies, Application Server Agents, and any other SiteMinder Agents in a single sign-on environment that use SMSESSION cookies.

Conversely, 6.x QMR 2 and 3 Web Agents may resolve a requestor’s IP address, which then differs from the address resolved by an older Agent.

Preserve HTTP Headers

You can configure the Web Agent to save existing HTTP headers instead of replacing them when new headers are created. This feature is useful for applications that generate multiple SiteMinder responses with the same name but with different values, and need to be included in headers. If there are multiple instances of the same HTTP header, the web server handles this by generating a single header with all the relevant header values separated by commas.

By default, the Web Agent does not preserve headers as a precaution against applications using the wrong header values. For Oracle iPlanet, Domino, and Apache Web Agents to preserve HTTP headers, set the PreserveHeaders parameter to yes. The default value is no.

Control How HTTP Header Resources are Cached

You can control how the Web Agent handles cache-related request headers by setting the following parameter:

AllowCacheHeaders

Specifies whether the web agent removes the following cache-related HTTP headers from protected-resource requests before passing those requests to the web server:

if-modified-since
if-none-match

This setting affects whether a browser uses cached pages. This setting does not affect auto-authorized resources (including values in the IgnoreExt parameter). The settings of the web server and browser determine whether auto-authorized resources are cached.

This parameter uses the following values:

Yes—The agent does not remove any cache-related HTTP headers. The SMSESSION cookies are still tracked to validate the session. When the session expires, the web agent sends an updated SMSESSION cookie with a 304 "not modified" response. This response is applied to the unmodified resources that are stored in the cache. The time indicated in the if-modified-since HTTP header determines when this behavior occurs.

Important! When this parameter is set to yes, pages of personalized applications lacking the appropriate cache control headers could possibly be cached. This situation introduces unexpected behavior and allows a browser to save sensitive data to the disk.

No—The agent removes the cache-related HTTP headers only from protected resource-requests only. The web server treats the request as unconditional. The contents of the cache are not validated.
None—The Web agent removes all cache-related headers for protected and unprotected resources.

For terminated sessions, the browser does not use cached content. The value of the AllowCacheHeaders parameter is ignored.

The settings of this parameter affect the following parameters:

LogOffUri—Set the value of the AllowCacheHeaders parameter to no when using the LogOffUri parameter. Otherwise these sessions do not terminate properly. A cached log-out page could possibly be served to a user.

Default: No

Limits: Yes, No, None

To remove all cache related headers from protected and unprotected resources, set the value of the AllowCacheHeaders parameter to none.

Note: For more information about HTTP 1.1 caching mechanisms, see RFC 2616, Section 13 "Caching in HTTP."

Use Lower Case HTTP in Headers (for Oracle iPlanet, Apache, and Domino web servers)

If you have server applications that are case-sensitive, you can specify the case of the Agent’s HTTP headers. The Web Agent defaults to lower case headers.

For example, Oracle iPlanet web servers, by default, provide the HTTP header variables in lower-case, such as http_sm_user.

Note: IIS Web Agents do not benefit from this feature, because IIS forces all headers to an upper case format.

To use lower case headers, set the LowerCaseHTTP parameter to yes. If you require upper-case header variables, set LowerCaseHTTP to no.

More information:

Record the Transaction ID in Oracle iPlanet Web Server Logs