000022216 - What is cookie IP checking in RSA ClearTrust?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022216
Applies To
RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0
IssueWhat is cookie IP checking in RSA ClearTrust?
Web browser loops to RSA ClearTrust logon page; user's cookie not accepted for authentication
Inter-Site Single Sign-On (ISSO) does not work; user is always redirected to RSA ClearTrust logon page on Replica server after authenticating on the Primary server
CauseHow does cookie IP checking work?

When a user authenticates, the RSA ClearTrust Agent extracts the value of the browser's IP address from the REMOTE_ADDR server variable expressed by the web server. It then stores this value in the authentication cookie. Subsequently, each time the authentication cookie is presented for authorization, the value of the IP address is extracted from the cookie and compared to that of the current sessions REMOTE_ADDR value. If these values do not match, the cookie is not used for authentication, and the user is presented with the logon page for reauthentication.

This feature is designed to prevent a hacker from capturing the user's browser cookie over the network and replaying it back to the web server from a browser on a separate IP address. This security feature has limitations that make it practical only in a known environment, unusually an intranet installation. In extranet or Internet environments, the IP address reported by the web server may change due to proxy servers, load balancers, or firewalls between the client and the server. This can cause intermittent authentication failures.

There are also limitations to the efficiency of this setting in preventing cookie replay attacks. A determined hacker can easily spoof the source IP address of the client during the replay attack and can thereby avoid detection. If additional security is required, one useful strategy is to ensure that authentication cookies are issued over a SSL connection that guarantees the client server connection. ClearTrust cookies are also encrypted; this strategy limits the practicality of cookie replay attacks. Exposure to blind cookie replay attacks can be reduced by decreasing the cleartrust.agent.token_cache_ttl value. Exposure to cryptographic attacks can be reduced by decreasing the keyserver key generation interval.

NOTE: The default values are should provide adequate security and performance for most installations.
ResolutionTo correct this issue, disable the cleartrust.agent.cookie_ip_check setting in RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0.
WorkaroundA proxy server was introduced into the environment
cleartrust.agent.cookie_ip_check setting was enabled
Legacy Article IDa27528