OpenAM – Protect Against CDSSO Cookie Hijacking

When cookies are set for an entire domain such as .example.com, an attacker who steals a cookie can use it from any host in the domain such as untrusted.example.com. Cookie hijacking protection restricts cookies to the fully-qualified domain name (FQDN) of the host where they are issued, such as openam-server.example.com and server-with-agent.example.com, using CDSSO to handle authentication and authorization.

For CDSSO with cookie hijacking protection, when a client successfully authenticates OpenAM issues the master SSO token cookie for its FQDN. OpenAM issues restricted token cookies for the other FQDNs where the policy agents reside. The client ends up with cookies having different session identifiers for different FQDNs, and the OpenAM server stores the correlation between the master SSO token and restricted tokens, such that the client only has one master session internally in OpenAM.

To protect against cookie hijacking you restrict the OpenAM server domain to the server where OpenAM runs. This sets the domain of the SSO token cookie to the host running the OpenAM server that issued the token. You also enable use of a unique SSO token cookie. For your Java EE policy agents, you enable use of the unique SSO token cookie in the agent configuration as well.

  1. In the OpenAM console, browse to Configuration > System > Platform.
  2. Remove the domain such as .example.com from the Cookies Domains list, and replace it with the server host name such as openam.example.com, or if OpenAM is behind a load balancer with the load balancer host name, such asload-balancer.example.com.
  3. Save your work.
  4. In the OpenAM console, browse to Configuration > Servers and Sites > Server Name > Default Server Settings, and then make these changes:
    1. Set the property com.sun.identity.enableUniqueSSOTokenCookie to true.
    2. Add the property com.sun.identity.authentication.uniqueCookieDomain, setting the value to the fully-qualified domain name of the OpenAM server, such as openam.example.com.

    Save your work.

  5. For each Java EE policy agent, browse in the OpenAM console to Access Control > Realm Name > Agents > J2EE >Agent Name > Advanced > Custom Properties, and add com.sun.identity.enableUniqueSSOTokenCookie=true to the list.
  6. Save your work.

Leave a Reply

Your email address will not be published. Required fields are marked *