1

Because of the vulnerabilities in Security Scans(SCABBA) done for our applications, we added secure and HttpOnly to SMESSION cookie. Now we are facing the issue like when i am redirecting from one application to another(all are under single sign on) some time Session get invalidated withing 5-10 min. we are redirecting to Login page.

I hope SMSESSION fix we did is causing these problems but nor sure on it. Some where i got the below info

smsession cookie generated by siteminder is always encrypted format and is also highly secure manner. We can have secure & http-only flags to the siteminder cookies implemented but there may be some functionality issues after implementing these flags to the cookies likewise. (a) Seamless will break on moving from HTTP to HTTPs or vice versa (we have all https only) (b) There may be few session upholding issues (c) Logout functionality may break. These were few of the breakage which we experienced in last few cases.

Can anyone have idea on it?

Thanks in advance

-Regards, Raviteja Koditiwada

4

1 回答 1

1

HTTPS 要么全有,要么全无。如果应用程序通过 HTTP 泄露其会话 ID,则该帐户可能会受到损害,这就是Facebook 现在完全采用 HTTPS的原因。通过不安全的通道泄漏会话 id 违反了OWASP 传输层安全不足和 OWASP 十大最常见的 Web 应用程序漏洞之一。

Web 应用程序可以使用securecookie 标志来防止纯文本 HTTP 请求包含会话 ID。因此,浏览器发送的任何经过身份验证的请求都必须通过 HTTPS,这是安全所必需的

和cookie 标志secure重要。告诉您的供应商修复此 OWASP 前 10 名漏洞,并在其软件中查找其他 OWASP 前 10 名违规行为。使用HTTP Strict Transport Security也是一个非常好的主意。httponly

于 2013-10-28T22:34:20.893 回答