Symantec Access Management

 View Only
  • 1.  TechTip: Why can we re-use SMSESSION cookie after Logout ?

    Posted Apr 26, 2017 05:38 AM

    Question

    Why can we re-use SMSESSION cookie after Logout ?

     

    You could steal a SMSESSION cookie and replay it for future requests in another browser or same browser until the Session expiration.

    The Session expiration is located inside the cookie itself and when a Web Agent decodes it, it will verify for the Session Timeout 

    (Max/Idle) directly from the session, and will not validate it by default against the Policy Server.

    The scenario above is not an expected situation, as normally in a secure Network, nobody will steal a SMSESSION cookie.

    Answer

    You can use the following solutions for this issue :

     

    1. Implement Enhanced Session Assurance with DeviceDNA

    Documentation: Enhanced Session Assurance with DeviceDNA

     

    2. Use Persistent session/realms with a short Session Validation Period 

    For persistent sessions only, you can specify the time period that the Web Agent caches the result of a session validation call to the Policy Server. 

    Session validation calls perform two functions: informing the Policy Server that a user is still active and checking that the user session is still valid.

    After a Logoff, the session is removed from the Session store, so if you attempt to replay a SMSESSION cookie after the validation Period, 

    the Web Agent will contact the Policy Server and find that the session is invalid and will reject the user session.

     

    Additional Information



  • 2.  Re: TechTip: Why can we re-use SMSESSION cookie after Logout ?