Layer7 Access Management

Tech Tip : CA Single Sign-On : CA Access Gateway (SPS) UseHTTPOnlyCookies available for Federation Session Cookies

  • 1.  Tech Tip : CA Single Sign-On : CA Access Gateway (SPS) UseHTTPOnlyCookies available for Federation Session Cookies

    Posted 11-28-2017 04:31 AM

    Question:

     

    Running CA Access Gateway (SPS), we notice that we cannot set UseHTTPOnlyCookies=YES with the Federation Session Cookies. But we've noticed that this feature exists already in CA Access Gateway (SPS) 12.6 :

     

    Secure a Federated Environment

    https://docops.ca.com/ca-single-sign-on/12-6-01/en/configuring/partnership-federation/secure-a-federated-environment

     

    Safeguard Cookie Information with the HTTP-Only Attribute To help
    protect against cross-site scripting attacks, you can protect the
    contents of cookies that Federation Web Services generates. To
    enable this protection, set the following Agent Configuration Object
    (ACO) parameter:

    UseHTTPOnlyCookies

    This parameter instructs Federation Web Services to set the
    HTTP-only attribute on the cookies it creates. When a cookie with
    this attribute is returned to the browser, the contents of the
    cookie cannot be read by a script, even a script from the web site
    which originally set the cookie. This helps prevent any sensitive
    information in the cookie from being sent to an unauthorized third
    party through a script.

    Default: No

    To safeguard the information in cookies, set the value of the
    UseHTTPOnlyCookies parameter to yes.

     

    Is there any CR in which we can find this feature in CA Access Gateway (SPS) 12.52SP1, so we could have this in our current 12.52SP1 environment?

     

    Environment:

     

    CA Access Gateway (SPS) 12.52SP1CR00

     

    Answer:

     

    Upgrade the CA Access Gateway (SPS) to 12.52SP1CR07 to get that functionality as per release notes :

    00653130 DE283777 Servlet API is upgraded to from 2.4 to 3.0 in Federation web services.

     

    Defects Fixed in 12.52 SP1 CR07

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr07#DefectsFixedin12.52SP1CR07-smsps

     

    KB : TEC1573861