Symantec Access Management

Can we use "CookieValidationPeriod" to protect against Session replay attacks. Or will this setting take precedence over "IdleTimeOut" setting.

IdleTimeOut value is 20 mins in our environment but we would like to use "CookieValidationPeriod" to say 5 mins to prevent us from Session replay attacks. Does this mean our IdleTimeOut value went down to 5 mins from 20 mins.

Good morning gunjan,

You have not provided much information such as the policy server version or the web agent version you are using. So I will try to answer this generically.

Please review the web agent guide section found here:
https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP3-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?agent-guide.html


Web Agent Guides › Web Agent Configuration Guide › Single Sign-On (SSO) › How to Configure Single Sign-On › Protect Session Cookies from Misuse with Validation Periods and Expired Cookie URLs
CookieValidationPeriod
Specifies the time period (in seconds) in which the receiving agent will accept the session cookie. After this time passes, the session cookie will not be accepted. If this field is not used or is set to zero, the session cookie expires when the Idle Timeout and Max Session Timeout values are met.

Default: Empty.


Policy Server Guides › Policy Server Configuration Guide › Implementing Policy-based Security › Strategies for Managing Security and Users › Manage the End-user Experience › How Sessions Are Managed
How Sessions Are Managed
By managing sessions, you control how long an authenticated and authorized user can access the resource. You can control sessions by:

Specifying the amount of time a user can remain idle, without interacting with the resource.
Idle timeouts protect against unauthorized use of the resource by limiting the amount of time the session remains active if it is not being used. The idle timeout is particularly useful in cases where users leave their computer without logging out of their session. When the idle timeout limit is reached, the session automatically ends.

Your statment is correct. If you set CookieValidationPeriod to 5 minutes or 300 seconds. And there is no activity the user will be challenged for Authentication again at this point. This will in affect override your idle time out setting.

Hope this helps.

Gene

Hi Gunjan,

What version major version are you using? 6.0? 12.0? 12.5?
Is your issue with hitting a log off uri and then going back to the site without being rechallenged?

Please describe the version (at least major, preferebly to build number) and situation in more detail.

Sincerely,
Josh Perlmutter
CA Technologies SiteMinder Support
SiteMinder Team Line: 800-CALL-CAI (225-5224)
My Direct Line: 508-628-8808
My Working Hours: 8 AM to 4 PM US Eastern Time
Center Hours: 8 AM to 8 PM US Eastern Time

Yes that is the issue. I log into the application save the value of smsession cookie and logoff from the application and close the browser.
Now i go to the application again and enter the smsession cookie value in the query string and get access to the application. Another way to do this is to replay the session cookie using live http headers.

Policy server : R12 sp3 Cr10

Good morning gunjan,

I believe what you are running into has to do with the web agent cache. In order to improve performance every request can not have to go back to the policy server. In order to accomplish this the web agent has a cache that store SMSESSION and checks against it to see if a trip to the policy server is needed or not. If the SMSESSION is found in cache than and a validation is not seeded the web agent handles it on its own. You can see this in the web agent trace logs from lines that say validating from web agent cache.

As you know security is always a tradeoff of ease of use and performance and security.

I know client who have what the call high Risk application. For these application they will do the following:
1) Use a persistent session store
2) Disable web agent caching.

The combination of the two of these forces the web agent to go to the policy server and session store each time to verify that the SMSESSION is still good and has not been logged of as in your case.

Generally speaking this would not be recommended for every application as it will have a impact on performance. But if you have a need of this nature for certain application you can give the above a try and see if it solves this use case situation.

I hope this helps

Gene

Thanks for the update Gene, I will try the agent cache change and see if it helps.

Thanks
Gunjan.

Actually i had this tested by clearing out the cache for my test user only. That did not work but i will try by reducing the cache timeout value and see if that helps.

Gene,

To clarify when you say disable Agent cache you mean disabling the ACO parameter MaxSessionCacheSize ?

Gunjan.

Good afternoon Gunjan,

yes you are correct. You would need to set MaxSessionCacheSize to 0. But doing this without the session store will not do what you want as the policy server has a cache system as well. Only by combining a session server with MaxSessionCacheSize = 0 on agent will prevent this at all.

hope this helps

Gene