Symantec Access Management

 View Only
  • 1.  smsession cookie vulnerability

    Posted Mar 04, 2020 12:54 PM
    HI All,

    We found a vulnerability that the smsession cookie is passed on the URL is sensitive so would request your help to resolve this asap?

    Can we make it as POST instead of GET?

    ------------------------------
    Thanks,
    Karthik
    +91-9047145955
    ------------------------------


  • 2.  RE: smsession cookie vulnerability
    Best Answer

    Broadcom Employee
    Posted Mar 04, 2020 06:16 PM
    Karthik,

    For general protected request, I thought you could use either GET or POST.
    However, there is an exception with request made to cookie provider SmMakeCookie.ccc, this may be what you are referring to.
    If that is the case, have you tried ACO parameter SecureURLs=yes?
    When the ACO parameter SecureURLs=yes, all the query related is encrypted and put into SMQUERYDATA.

    All Web Agents in a single sign-on environment must have the SecureUrls parameter set to the same value.
    <main class="clearfix">


    </main>



  • 3.  RE: smsession cookie vulnerability

    Posted Jan 08, 2025 09:39 AM

    Hi @Hongxu Liu,

    We are facing same issue in our environment and we have more than 300 web agents. So changing everything to use SecureURLs=Yes is a big task.

    So is it any other way possible to remediate this vulnerability?

    Thanks,

    Subramanian




  • 4.  RE: smsession cookie vulnerability

    Broadcom Employee
    Posted Jan 08, 2025 10:07 AM

    If setting ACO parameter SecureURLs is not feasible, then check another ACO StoreSessioninServer=Yes. Which will store the session temporarily and pass a GUID that identifies the stored session instead of the session cookie in the redirect URL.

    The detailed usage about StoreSessioninServer is documented under (Use the Session Store to Increase Security for Multi-Domain Single Sign-On)

    Session Cookie Management