IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  PD Session cookie doesn't include domain

    Posted Tue February 11, 2020 05:17 PM
    We are on ISAM 9.0.6 and finding that the PD Session cookie doesn't include the domain so it's not being passed in subsequent calls.

    Here is the flow we are going through:
    1. Call /apiauthsvc with the password PolicyID & get a state
    2.  Call the /apiauthsvc to verify the password with the state id
    3.  Attempting to call the /mga/sps/oauth/oauth20/authorize endpoint using and implicit flow to get a JWT.  We are passing in the authenticated session cookie.

    Step 3 presents the ISAM login page because the PD session cookie that comes back from the /apiauthsvc call doesn't include the domain so the browser doesn't know it send them along.

    I have tried many things to get the domain included but nothing has worked.  Does anyone have any suggestions on getting the domain included in the session cookie or how to get the session cookie from the browser to pass back?

    ------------------------------
    Angela Klein
    ------------------------------


  • 2.  RE: PD Session cookie doesn't include domain

    Posted Tue February 11, 2020 05:32 PM

    Hello Angela,

    The 'PD-S-SESSION-ID' cookie doesn't have a 'domain' tag on it by default.

    You can include a domain by using the following stanza:
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/wrp_stza_ref/reference/ref_sess_dm_ckie_stz.html

    From the configuration file:
    ---
    ##################################
    # SESSION COOKIE DOMAINS
    ##################################
    [session-cookie-domains]

    # Normally WebSEAL session cookies are 'host' cookies which browsers
    # only return to the host that originally set them. This stanza
    # can be used to configure 'domain' session cookies that may be sent
    # to any host in a particular DNS domain. Review the WebSEAL
    # documentation and understand the security implications of domain
    # session cookies before enabling any entries in this stanza.

    # Format is:
    # domain = example.com
    # domain = otherdomain.com
    # ...
    ---

    So that will determine what domains the Reverse Proxy will use when setting the session cookies.

    Failover cookies use a different property.

    If you're trying to get cookies from the backend junctions to pass domain cookies that's the following stanza:

    [junction]
    ...
    allow-backend-domain-cookies = no

    It's set to 'no' by default.

    Also, if you're looking for a session from the '/apiauthsvc' endpoint make sure you have the following so the EAI information will be consumed:

    [eai-trigger-urls]
    ...
    trigger = /mga/sps/apiauthsvc*



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: PD Session cookie doesn't include domain

    Posted Tue February 11, 2020 09:08 PM
    Jack,
    Thank you for your response.  We did find those and have them set as you recommended.  We do have a HTTP Transformation for CORS setting the Access-Control-Allow-Origin header where we tried changing what we were setting it and it seemed to help a little bit.  Would that make a difference?

    ------------------------------
    Angela Klein
    ------------------------------

    Original Message


  • 4.  RE: PD Session cookie doesn't include domain

    Posted Tue February 11, 2020 10:00 PM

    Angela,
    Assuming you are not using DSC, you have to set shared-domain-cookie to 'yes' in the [session] stanza of the WebSEAL configuration file to use domain session cookies across standard and virtual hosts of a WebSEAL instance.
    See:

    https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/task/tsk_usg_dom_sess_cookie_vir_host_sso.html

    If you have clustered WebSEALs and using failover auth, you may also want to consider the following section:

    https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/task/tsk_config_nonsticky_failover_soln.html



    ------------------------------
    Steven Hughes
    ------------------------------

    Original Message


  • 5.  RE: PD Session cookie doesn't include domain

    Posted Wed February 12, 2020 11:09 AM
    Since none of those settings appeared to work, we turned to a HTTP Transformation.  We updated ISAM to to 9.0.7.1 this morning and modeled the transform after this:   https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/wrp_config/concept/con_http_trans_scenario4.html

    We are attempting update the domain on the PD-S-SESSION-ID cookie, but it doesn't seem to be doing anything with that one.  It will add a new one.

    Here is that portion of the XSL:
    <xsl:if test="Cookie/@name='PD-S-SESSION-ID'"> <xsl:if test="Cookie/@name='PD-S-SESSION-ID'"> <Cookie action="update" name="PD-S-SESSION-ID"> <Domain>XXXXX</Domain> </Cookie> </xsl:if>

    ------------------------------
    Angela Klein
    ------------------------------

    Original Message


  • 6.  RE: PD Session cookie doesn't include domain

    Posted Wed February 12, 2020 11:18 AM
    Hello Angela,

    You cannot transform the 'PD-S-SESSION-ID' cookie with an HTTP Transformation.

    Try to also set the 'web-host-name' of the reverse proxy to the hostname of your reverse proxy.
    Furthermore, you cannot set as follows:

    [session-cookie-domains]
    ...
    domain = .com

    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 7.  RE: PD Session cookie doesn't include domain

    Posted Wed February 12, 2020 12:24 PM
    Thank you for the quick response.

    ------------------------------
    Angela Klein
    ------------------------------

    Original Message


Related Content