Setting the secure=true flag to prevent spoofing on JSESSIONID cookies set by Linux Access Gateway

Document ID:7000479
Creation Date:26-May-2008
Modified Date:26-Apr-2012
- Micro Focus Products:
  Access Manager (NAM)

Environment

Novell Access Manager 3 Linux Access Gateway
Novell Access Manager 3 Support Pack 3 applied

Situation

An attacker can spoof the browser into sending a JSESSION cookie to the Linux Access Gateway (LAG) embedded service provider (ESP) that contains a valid user session. This may happen because LAG communicates to ESP over a non-secure connection on port 8080. Since, as far as the ESP knows, the connection is not secure, Tomcat at the ESP does not mark the JSESSION cookie as secure. LAG receives the Set-Cookie header from ESP and passes it back to the browser. However, now there is a non-secure cookie sitting in the browser. If an attacker spoofs the domain of the LAG, the browser will now send the non-secure JSESSION cookie over a non-secure channel where the cookie may be sniffed.

To stop this from happening, users must first configure LAG to use SSL (as described in the documentation). Once they have SSL configured, the administrator needs to goto their ESP Tomcat directory and add the parameter 'secure="true"' to the
127.0.0.1:8080 connector in the server.xml file.

Resolution

Make the following changes to the server.xml file and restart tomcat:

1) Goto the LAG/ESP box
2) Goto the directory /var/opt/novell/tomcat4/conf
3) vi server.xml
4) Search for the Connector on ip 127.0.0.1 and port 8080
5) add the parameter secure="true" to this connector section
6) Save the server.xml file
7) Restart Tomcat by doing '/etc/init.d/novell-tomcat4 restart'