|Applies To||RSA ClearTrust Plugin|
|Issue||How to enable ClearTrust cookie with single entity domains (flat DNS)|
When using a single entity domain structure ( flat DNS) all host are attached to a single non-hierarchical domain name. Instead of host.rsa.com a flat DNS will use host.rsa only. In this situation a cookie created by our Plugin is rejected by the HTTP Client (browser).
|Cause||The domain value is set in the Plugin's Default.conf file during installation. If this is set as 'rsa' the Plugin will create Client cookies with a domain value of .rsa. This is a non legal Cookie according to RFC 2109 ;|
4.3.2 Rejecting Cookies
To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:
* The value for the Path attribute is not a prefix of the request-URI.
* The value for the Domain attribute contains no embedded dots or does not start with a dot.
* The value for the request-host does not domain-match the Domain attribute.
* The request-host is a FQDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
* A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com would be rejected, because H is y.x and contains a dot.
* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted.
* A Set-Cookie with Domain=.com or Domain=.com., will always be rejected, because there is no embedded dot.
* A Set-Cookie with Domain=ajax.com will be rejected because the value for Domain does not begin with a dot.
The diction used for point 2 above is not good. To translate, a Domain value must start with a dot and contain a dot. '.rsa' will fail this criteria.
|Resolution||The domain value in the Plugin Default.conf can be removed. This will cause the Plugin to issue legal Cookies.|
|Legacy Article ID||a9628|