An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because Access Gateway communicates with its ESP on port 9009, which is a non-secure connection. Because ESP does not know whether Access Gateway is using SSL to communicate with the browsers, ESP does not mark the JSESSION cookie as secure when it creates the cookie. Access Gateway receives the Set-Cookie header from ESP and passes it to the browser as a non-secure clear-text cookie. If an attacker spoofs the domain of Access Gateway, the browser sends the non-secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
To stop this, you must first configure Access Gateway to use SSL. See Section 19.4, Configuring SSL Communication with Browsers and Access Gateway.
After you have SSL configured, you must configure Tomcat to secure the cookie.
Open Access Gateway’s server.xml file.
For information about how to open and modify a file, see Modifying Configurations.
Search for the connector on port 9009.
Add the following parameter within the Connector element:
secure="true"
Preventing Automatically Changing Session ID
Go to Devices > Access Gateway > Edit > Reverse Proxy / Authentication > ESP Global Options.
Set RENAME_SESSIONID to false. By default, this is set to true.
Restart Tomcat on each Identity Server in the cluster.