Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Access Gateway Service
Novell Access Manager 3.1 Support Pack 3 applied
Novell Access Manager 3.1 Access Gateway Service
Novell Access Manager 3.1 Support Pack 3 applied
Situation
When a browser session with an access gateway terminates, all Access Gateway session cookies are cleared or reset, but the origin web server http session cookies remain untouched.
The general problem use-case is when two users (User-A and User-B) use the same browser client to access AG protected resources. When User-A authenticates to a protected resource, the origin server of the protected resource will establish a session with browser client using HTTP session cookies. When User-A logs out of the AG either by accessing the logout URL or by idle timeout, the origin web server's session cookie remains intact. User-B can then authenticate to access gateway, but will resume User-A's session to the origin web server.
Many customers new to NAM/iChain initially discover this scenario as a security concern, and then later learn to manage it through various workarounds (https://www.novell.com/communities/node/6731/clearing-novell-access-manager-application-sessions). It would be ideal if NAM would provide a standard way to invalidate origin web server sessions at the same time NAM sessions are invalidated.
This is a particularly problematic issue for password management, security approval and HR applications. It is most visable to customers with many users that share machines such as store/teller kiosks and health care workstations.
The general problem use-case is when two users (User-A and User-B) use the same browser client to access AG protected resources. When User-A authenticates to a protected resource, the origin server of the protected resource will establish a session with browser client using HTTP session cookies. When User-A logs out of the AG either by accessing the logout URL or by idle timeout, the origin web server's session cookie remains intact. User-B can then authenticate to access gateway, but will resume User-A's session to the origin web server.
Many customers new to NAM/iChain initially discover this scenario as a security concern, and then later learn to manage it through various workarounds (https://www.novell.com/communities/node/6731/clearing-novell-access-manager-application-sessions). It would be ideal if NAM would provide a standard way to invalidate origin web server sessions at the same time NAM sessions are invalidated.
This is a particularly problematic issue for password management, security approval and HR applications. It is most visable to customers with many users that share machines such as store/teller kiosks and health care workstations.
Resolution
Apply Access Manager 3.1 Support Pack 4 to a system running the Access Gateway (AGS) Service (Windows or Linux) and enable the advanced option
"NAGHostOptions mangleCookies"
Note that it is case sensitive. Once the change is applied to the AGS, the origin web server cookies are tracked in the following manner:
When the origin web server sets any application level cookie at browser AND the above option is enabled, the AGS server mangles the cookie using the IPC cookie for that HTTP request (validity of IPC cookie is done by now). When a subsequent request comes to the AGS with any cookie and above option is enabled, it demangles those cookies using the IPC cookie of that request (by now, validity of IPC cookie is done) and sends them to webserver.
If the user logs out using /AGLogout or /nesp/app/plogout, the IPC cookie becomes invalid. If a user (can be same user) logs in from the same browser session, the mangled web server application cookies will be processed by the AGS proxy which tries to demangle them using the current IPC cookie. These demangled cookies will now be different to the ones we got prior to the logout and will therefor be treated as invalid at the webserver.
"NAGHostOptions mangleCookies"
Note that it is case sensitive. Once the change is applied to the AGS, the origin web server cookies are tracked in the following manner:
When the origin web server sets any application level cookie at browser AND the above option is enabled, the AGS server mangles the cookie using the IPC cookie for that HTTP request (validity of IPC cookie is done by now). When a subsequent request comes to the AGS with any cookie and above option is enabled, it demangles those cookies using the IPC cookie of that request (by now, validity of IPC cookie is done) and sends them to webserver.
If the user logs out using /AGLogout or /nesp/app/plogout, the IPC cookie becomes invalid. If a user (can be same user) logs in from the same browser session, the mangled web server application cookies will be processed by the AGS proxy which tries to demangle them using the current IPC cookie. These demangled cookies will now be different to the ones we got prior to the logout and will therefor be treated as invalid at the webserver.