|Applies To||RSA ClearTrust Agent 4.6 for Microsoft IIS|
Microsoft Windows Server 2003
Microsoft Internet Information Server (IIS) 6.0
|Issue||How to prevent RSA ClearTrust authentication cookies from being issued on a specific TCP port|
Occasionally, a user may appear to be authenticated using another user's credentials. This only occurs when the cookie is issued over a non-SSL connection. The 2 users are accessing the web from behind the same proxy server.
|Cause||Even though the HTTP RFC specifically states that cookies should not be cached, some incorrectly configured proxy servers may cache cookies. This can create a situation where different users behind a proxy server may get a cached copy of another user's authorization cookie. Ensuring cookies are only issued over an SSL connection alleviates this problem by ensuring that secure session is established between the web server and the browser.|
The ClearTrust Agent can be configured to allow cookies to be issued only on the SSL port by setting the parameter cleartrust.agent.secure=True in the webagent.conf file.
If a SSL accelerator or proxy server is being used with the web server to manage SSL content, then the ClearTrust Agent can be installed on a normal HTTP port. To allow restriction of the ClearTrust CTSESSION authentication cookie on a port other than the default SSL port of 443, use the webagent.conf file parameter "cleartrust.agent.cookie_port_exclusion_list".
|Resolution||This issue has been resolved in a hot fix for RSA ClearTrust Agent 4.6 for IIS 5.0 and 6.0. Contact RSA Security Customer Support to obtain hot fix 220.127.116.11, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).|
A new configuration parameter " cleartrust.agent.cookie_port_exclusion_list" must be added to the webagent.conf file to use this new functionality.
NOTE: This functionality was originally introduced in RSA ClearTrust 4.5 Agent hot fix 18.104.22.168_RFE but was not ported into ClearTrust Agent 4.6. In hot fix 22.214.171.124_RFE, the retention ACTSESSION cookie was also incorrectly blocked on this port. This has been resolved in RSA ClearTrust 4.6 Agent hot fix 126.96.36.199 hot fix.
|Legacy Article ID||a27342|