000019480 - How to enable ClearTrust cookie with single entity domains (flat DNS)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019480
Applies ToRSA ClearTrust Plugin
IssueHow to enable ClearTrust cookie with single entity domains (flat DNS)
When using a single entity domain structure ( flat DNS) all host are attached to a single non-hierarchical domain name. Instead of host.rsa.com a flat DNS will use host.rsa only. In this situation a cookie created by our Plugin is rejected by the HTTP Client (browser).
CauseThe domain value is set in the Plugin's Default.conf file during installation.  If this is set as 'rsa' the Plugin will create Client cookies with a domain value of .rsa. This is a non legal Cookie according to RFC 2109 ;

4.3.2 Rejecting Cookies
To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:
  * The value for the Path attribute is not a prefix of the request-URI.
  * The value for the Domain attribute contains no embedded dots or does not start with a dot.
  * The value for the request-host does not domain-match the Domain attribute.
  * The request-host is a FQDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
  * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com would be rejected, because H is y.x and contains a dot.
  * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted.
  * A Set-Cookie with Domain=.com or Domain=.com., will always be rejected, because there is no embedded dot.
  * A Set-Cookie with Domain=ajax.com will be rejected because the value for Domain does not begin with a dot.

The diction used for point 2 above is not good. To translate, a Domain value must start with a dot and contain a dot. '.rsa' will fail this criteria.
ResolutionThe domain value in the Plugin Default.conf can be removed. This will cause the Plugin to issue legal Cookies.
Legacy Article IDa9628