Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-1521

Cookie Hijacking Prevention does not work properly under FireFox

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Expired
    • 10.1.0-Xpress
    • None
    • cdsso
    • Solaris 10 x86, Apache 2.2.22, Agent 3.0.4.5, Firefox 14.0.1
    • Rank:
      1|hzlvxj:

      Description

      Under special conditions, CHP settings are not functioning properly when a WPA resource is accessed via Firefox. This issue does not exist in other browsers.

      My environment:

      • OpenAM has the FQDN: openam.example.com
      • WPA: solaris.example.com

      The setup is configured as per: http://docs.oracle.com/cd/E19316-01/820-3746/giuex/index.html

      In particular

      • OpenAM:
      • com.sun.identity.enableUniqueSSOTokenCookie=true
      • com.sun.identity.authentication.uniqueCookieName=sunIdentityServerAuthNServer
      • com.sun.identity.authentication.uniqueCookieDomain=.example.com
      • iplanet-am-platform-cookie-domains=openam.example.com
      • Web Agent:

      The procedure that I used is:
      0. clear cookies and cache in the browser
      1. access a WPA protected resource

      • this step requires logging in to OpenAM as a valid user
        2. once the session is established access: http://openam.example.com:8080/openam/idm/EndUser
      • at this point the session fails and you are redirected to the login page
      • an exception in Session can be observed saying:

      amSSOProvider:07/27/2012 05:24:40:369 PM CEST: Thread[http-bio-8080-exec-3,5,main]
      could not create SSOToken from HttpRequest
      com.iplanet.dpro.session.SessionException: Illegal attempt to use a restricted token.
      at com.iplanet.dpro.session.Session.getSession(Session.java:1082)
      at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:92)
      at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:241)
      at com.sun.identity.authentication.service.AMLoginContext.processIndexType(AMLoginContext.java:1766)
      at com.sun.identity.authentication.service.AMLoginContext.executeLogin(AMLoginContext.java:306)
      at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:541)
      at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:433)
      at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:270)
      at com.sun.identity.authentication.UI.LoginViewBean.getLoginDisplay(LoginViewBean.java:933)
      at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:882)
      at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:537)
      at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
      at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
      at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:95)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:662)

      Note that this occurs only when the OpenAM parameter iplanet-am-platform-cookie-domains coincides with the WPA parameter com.sun.identity.agents.config.cdsso.cookie.domain in the domain portion. For example:

      • it occurs for:
        iplanet-am-platform-cookie-domains=openam.example.com
        com.sun.identity.authentication.uniqueCookieDomain=.example.com
        com.sun.identity.agents.config.cdsso.cookie.domain[0]=.example.com
      • but it does not occur for:
        iplanet-am-platform-cookie-domains=openam.example.com
        com.sun.identity.authentication.uniqueCookieDomain=.example.net
        com.sun.identity.agents.config.cdsso.cookie.domain[0]=.example.net

      We have confirmed this issue also on CentOS 6.2 + Apache 2.22. Please let me know if more information is needed.

        Attachments

          Activity

            People

            Unassigned Unassigned
            n4al Nemanja Lukic
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: