An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because Access Gateway communicates with its ESP on port 9009, which is a non-secure connection. Because ESP does not know whether Access Gateway is using SSL to communicate with the browsers, ESP does not mark the JSESSION cookie as secure when it creates the cookie. Access Gateway receives the Set-Cookie header from ESP and passes it to the browser as a non-secure clear-text cookie. If an attacker spoofs the domain of Access Gateway, the browser sends the non-secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
To stop this, you must first configure Access Gateway to use SSL. See Section 7.2.1, Enabling SSL between Browsers and Access Gateway.
After configuring SSL, you must perform the following steps to configure Tomcat to secure the cookie:
Open the Access Gateway server.xml file.
Search for the connector on port 9009.
Add the following parameter within the Connector element:
secure="true"
For information about how to edit a file, see Modifying Configurations
in the NetIQ Access Manager CE 24.2 (v5.1) Administration Guide.
NOTE:This file is specific to each cluster. Therefore, while applying the changes from this file, the keystore password is retained in each cluster.
Preventing Automatically Changing Session ID
On the Home page, click Access Gateways > Edit > Reverse Proxy / Authentication > ESP Global Options.
Set RENAME_SESSIONID to false. By default, this is set to true.
Restart Tomcat on each Identity Server in the cluster.