Environment
Access Manager 4.3
Access Gateway Service or Appliance
Mangled cookies enabled
Situation
Access Gateway setup to protect back end applications. Users typically access the protected resources, get redirected to the Identity Server where submitted credentials are validated before being redirected back to protected resource. For additional security, the application cookies are mangled on the Access Gateway with the cookie mangling advanced options.
A small subset of users claimed that access to one of the application with cookie mangling would randomly fail. As soon as cookie mangling was disabled, all worked fine. Looking at Fiddler or HTTP header traces to understand the pattern triggering the error, we found the following:
- If a user accesses a protected resource initially (where they get the AG IPC session cookie set), but does not authenticate at IDP server and then
- accesses public resource on the AG in the same or a seperate tab so that Web app sets a session cookie on browser that the AG has to mangle
- wait a few minutes before continuing to access the application eg. user could be redirected to a public landing page where they have to submit some information
the problem would always happen. Since the mangled cookies are tied to the AG IPX session cookie and the user had not fully authenticated, the AG invalidates the IPC cookie which is now being used to mangle cookies on the public resource. This in turn invalidates session on web server and breaks the app.
Steps to reproduce:
1. Access the private URL
2. Redirected to ESP and eventually IDP and verify IPC Cookie is set
3. Access a public resource whose Web server app sets a cookie on the browser (cookie mangling must be enabled )
4. User continues to access the public resource, sending mangled cookie to AG which de-mangles them and send to webserver
5. Wait 2 min and access the public resource again. Note AG sets IPC Cookie to 0, mangled cookie is set to 0 at browser and AG doesn’t send cookie to webserver.
A small subset of users claimed that access to one of the application with cookie mangling would randomly fail. As soon as cookie mangling was disabled, all worked fine. Looking at Fiddler or HTTP header traces to understand the pattern triggering the error, we found the following:
- If a user accesses a protected resource initially (where they get the AG IPC session cookie set), but does not authenticate at IDP server and then
- accesses public resource on the AG in the same or a seperate tab so that Web app sets a session cookie on browser that the AG has to mangle
- wait a few minutes before continuing to access the application eg. user could be redirected to a public landing page where they have to submit some information
the problem would always happen. Since the mangled cookies are tied to the AG IPX session cookie and the user had not fully authenticated, the AG invalidates the IPC cookie which is now being used to mangle cookies on the public resource. This in turn invalidates session on web server and breaks the app.
Steps to reproduce:
1. Access the private URL
2. Redirected to ESP and eventually IDP and verify IPC Cookie is set
3. Access a public resource whose Web server app sets a cookie on the browser (cookie mangling must be enabled )
4. User continues to access the public resource, sending mangled cookie to AG which de-mangles them and send to webserver
5. Wait 2 min and access the public resource again. Note AG sets IPC Cookie to 0, mangled cookie is set to 0 at browser and AG doesn’t send cookie to webserver.
Resolution
Fixed in 4.3 SP3. This build provides an Advanced Option
NAGGlobalOptions TempUserTTL=<value in minutes>.
which can be used to increase session time of temporary user that exists in the process of first time authentication. If this option is not used, its value will be the default value which is 2 minutes.
If option is used then it should be between 2 min and 30 min. If it exceeds 30 mins it will not be considered and behavior falls back to default one.
NAGGlobalOptions TempUserTTL=<value in minutes>.
which can be used to increase session time of temporary user that exists in the process of first time authentication. If this option is not used, its value will be the default value which is 2 minutes.
If option is used then it should be between 2 min and 30 min. If it exceeds 30 mins it will not be considered and behavior falls back to default one.