WebSphere Application Server Configurables for managing HTTP Session Cookie Vulnerability
Technote (FAQ)
Question
Which WebSphere Application Server Configurables are available for managing HTTP Session Cookie Vulnerability?
Cause
The HTTP Session cookie may be reported as a vulnerability by certain security check products.
Answer
IBM Websphere Application Server provides configurables to progressively secure session cookie information passed between Application Server and clients.
Configurables are listed below
1) httpOnlyCookies - PK98436
The WebContainer code was modified to add the HTTPOnly attribute when generating a session cookie if the following WebContainer custom property is set.
Note: This feature is not available with Fixpacks earlier than 6.1.0.31 or 7.0.0.9
Property name:
com.ibm.ws.webcontainer.httpOnlyCookies
HTTPOnly prevents scripts from capturing or manipulating session cookie information
2) Security integration - Session Manager Option
Specifies when security integration is enabled, the session management facility associates the identity of users with their HTTP sessions.
This ties session cookie information to the userid for which the session was created.
3) Restrict cookies to HTTPS sessions - Session Manager Option
Specifies that the session cookies include the secure field. Enabling the feature restricts the exchange of cookies to HTTPS sessions only.
Check box is available through the WebSphere Admin Console > Session management > Enable Cookies link. Requires use of SSL protocol.
4) Enable SSL ID Tracking - Session Manager Option
Specifies that session tracking uses Secure Sockets Layer (SSL) information as a session ID. The sessionID cannot be captured from the browser. Requires use of SSL protocol.
Configurables are listed below
1) httpOnlyCookies - PK98436
The WebContainer code was modified to add the HTTPOnly attribute when generating a session cookie if the following WebContainer custom property is set.
Note: This feature is not available with Fixpacks earlier than 6.1.0.31 or 7.0.0.9
Property name:
com.ibm.ws.webcontainer.httpOnlyCookies
HTTPOnly prevents scripts from capturing or manipulating session cookie information
2) Security integration - Session Manager Option
Specifies when security integration is enabled, the session management facility associates the identity of users with their HTTP sessions.
This ties session cookie information to the userid for which the session was created.
3) Restrict cookies to HTTPS sessions - Session Manager Option
Specifies that the session cookies include the secure field. Enabling the feature restricts the exchange of cookies to HTTPS sessions only.
Check box is available through the WebSphere Admin Console > Session management > Enable Cookies link. Requires use of SSL protocol.
4) Enable SSL ID Tracking - Session Manager Option
Specifies that session tracking uses Secure Sockets Layer (SSL) information as a session ID. The sessionID cannot be captured from the browser. Requires use of SSL protocol.
댓글 없음:
댓글 쓰기