Linux Access Gateway does not perform IP address check when processing session cookie

  • 3273803
  • 16-May-2007
  • 26-Apr-2012


Novell Access Management 3 Linux Access Gateway
Novell Access Manager 3 Interim Release 2 applied


When a user authenticates to the IDP server when accessing a protected resource on the Access Gateway server, a cookie is set for the lifetime of that session. Subsequent requests to the Access Gateway will include this session cookie. The Access Gateway proxy service will parse this session cookie and validate it - one validation test is to make sure that the IP address of the user-agent that authenticated initially is the same as the one that is sending subsequent requests with that cookie. The goal of this is to prevent session hijacking.

There appears to be an inconsistency between the Linux Access Gateway (LAG) and the NetWare Access Gateway (NAG) on this. The NAG does it by default but the LAG does not appear to do any IP address checks.


The LAG update in Access Manager Support Pack 1 Beta 1 and onwards will do IP address checks. If an administrator needs to disable this for any reason, it can be done by creating the file /etc/lagDisableAuthIPCheck and doing an "apply" to apply the configuration change.

The corresponding switch on the NAG, available with all NAG builds, is to load the proxy in the appstart.ncf file with the '-ri' option (remove IP address check) eg. load proxy -ri.