|Applies To||RSA Authentication Agent 5.3 for Web|
Windows Server 2003
|Issue||RSA Cookie works with HTTP and HTTPS requests|
RSA Cookie is created after the successful authentication regardless of HTTP or HTTPS protocol
|Resolution||The RSA Authentication Agent for Web does not have an option to protect only either non-SSL or SSL connection. SecurId protection works on a per "Virtual Host" basis (Apache's terminology, "WebServer" in IIS's terminology). So if the virtual host has SecurId protection enabled, ALL listening ports defined in that virtual host will be protected. A cookie is created only after the successful SecurID Authentication regardless of request protocol.|
As workaround, if you want to protect a "web site" exclusively on a specific port, example 80 (HTTP) and not 443 (HTTPS), simply create a second virtual host, and protect only that virtual host listening on port 80.
So, using an IIS example:
WebSites --> DefaultWebSiteSecurID : listening on port 80, no SSL configured, pointing to folder "C:\Inetpub\wwwroot", RSA protected.
WebSites --> DefaultWebSite : listening on port 443, SSL configured and required, pointing to folder "C:\Inetpub\wwwroot", not RSA protected.
That way, only non SSL connections will be SecurId protected.
|Notes||It is noted that installing RSA Agent enforces some of the required permissions by web servers. RSA Agent does not add or remove permissions on any web server. The functionality of a web server is not altered by installing RSA Agent. RSA Agent behaves like a plugin on any web server.|
|Legacy Article ID||a45540|