|
|
|
You can reduce the risk that unauthorized users may hijack and attempt to reuse SiteMinder session cookies by having SiteMinder validate the domain of a session cookie with the following parameter:
Instructs the Web Agent to encrypt and store the intended domain of a session cookie within the session cookie itself. During subsequent requests, the Web Agent compares the intended domain stored within the session cookie against the domain of the requested resource. If the domains do not match, the Web Agent rejects the request.
For example, when the value of this parameter is set to yes, session cookies intended for operations.example.com are rejected when presented at finance.example.com.
In SiteMinder environments using SSO, set this parameter on the Web Agent that creates the encrypted session cookie. For example, suppose your SSO environment has domains named a.example.com and b.example.com. If the Web Agent protecting a.example.com encrypts the session cookie, set the value of the TrackSessionDomain parameter of the associated Web Agent. When the Web Agent protecting b.example.com receives the cookie, it compares the intended domain stored in the cookie against the domain of the requested resource.
Default: No
To have SiteMinder validate the domain of a session cookie, set the value of the TrackSessionDomain parameter to yes.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |