000014778 - Are Access Manager Agents susceptible to Session Fixation attacks?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014778
Applies ToRSA Access Manager Agent 4.8 for IIS 6.0
RSA Access Manager 4.8 Agent for Apache 2.2

IBM Rational Appscan
IssueAre Access Manager Agents susceptible to Session Fixation attacks?
IBM Rational Appscan report for the Access Manger Login pages were identified as potentially vulnerable for the reason ?Session Identifier Not Updated?.
CauseThe Appscan tool reports the logon pages as vulnerable due to the presence of the JSESSIONID in the request object.  The JSESSIONID is generated by the application server if the logon pages are JSP and the JSP is being served from an application server.
ResolutionRSA Access Manger agents are not directly susceptible to Session Fixation attacks.   RSA Access Manger uses its own encrypted session cookie called CTSESSION to maintain the logon state of the user.  This session cookie is set during the logon process and cleared during logout.
For more information on Session Fixation Attacks see http://capec.mitre.org/data/definitions/60.html
Legacy Article IDa46140

Attachments

    Outcomes