000022189 - How to prevent RSA ClearTrust authentication cookies from being issued on a specific TCP port

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022189
Applies ToRSA ClearTrust Agent 4.6 for Microsoft IIS
Microsoft Windows Server 2003
Microsoft Internet Information Server (IIS) 6.0
IssueHow to prevent RSA ClearTrust authentication cookies from being issued on a specific TCP port
Occasionally, a user may appear to be authenticated using another user's credentials. This only occurs when the cookie is issued over a non-SSL connection. The 2 users are accessing the web from behind the same proxy server.
CauseEven though the HTTP RFC specifically states that cookies should not be cached, some incorrectly configured proxy servers may cache cookies. This can create a situation where different users behind a proxy server may get a cached copy of another user's authorization cookie. Ensuring cookies are only issued over an SSL connection alleviates this problem by ensuring that secure session is established between the web server and the browser.

The ClearTrust Agent can be configured to allow cookies to be issued only on the SSL port by setting the parameter cleartrust.agent.secure=True in the webagent.conf file.

If a SSL accelerator or proxy server is being used with the web server to manage SSL content, then the ClearTrust Agent can be installed on a normal HTTP port. To allow restriction of the ClearTrust CTSESSION authentication cookie on a port other than the default SSL port of 443, use the webagent.conf file parameter "cleartrust.agent.cookie_port_exclusion_list". 
ResolutionThis issue has been resolved in a hot fix for RSA ClearTrust Agent 4.6 for IIS 5.0 and 6.0. Contact RSA Security Customer Support to obtain hot fix 4.6.0.66, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

A new configuration parameter " cleartrust.agent.cookie_port_exclusion_list" must be added to the webagent.conf file to use this new functionality.

NOTE: This functionality was originally introduced in RSA ClearTrust 4.5 Agent hot fix 4.5.0.32_RFE but was not ported into ClearTrust Agent 4.6. In hot fix 4.5.0.32_RFE, the retention ACTSESSION cookie was also incorrectly blocked on this port. This has been resolved in RSA ClearTrust 4.6 Agent hot fix 4.6.0.66 hot fix.
Legacy Article IDa27342

Attachments

    Outcomes