Encrypt Session IDs to Address Vulnerability Issues

CA Service Desk Manager (CA SDM) uses the Session ID for authenticating each request from the user. This Session ID is sent back and forth through the web browser. An attacker can auto-generate the Session ID and can gain unauthorized access to CA SDM, if it matches any of active SIDs in CA SDM. An attacker can sniff the CA SDM web URL using man-in-the-middle attack and can replay the URL to gain unauthorized access to CA SDM. Using encrypted Session ID and cookie for authenticating user requests may have some minimal performance impact on CA SDM.
casm1401
CA Service Desk Manager (CA SDM) uses the Session ID for authenticating each request from the user. This Session ID is sent back and forth through the web browser. An attacker can auto-generate the Session ID and can gain unauthorized access to CA SDM, if it matches any of active SIDs in CA SDM. An attacker can sniff the CA SDM web URL using man-in-the-middle attack and can replay the URL to gain unauthorized access to CA SDM. Using encrypted Session ID and cookie for authenticating user requests may have some minimal performance impact on CA SDM.
The following attributes are added in Options Manager to support encrypted Session IDs:
  • use_encrypted_sid_and_cookie (optional)
    Use the encrypted Session ID and cookie to prevent spoofing and Man-in-the-middle attack. By default, this attribute is disabled. If you want to have enhanced CA SDM security, this attribute can be enabled (Yes).
  • force_browser_to_send_cookie_only_in_ssl_connection
    (optional)
    Force the browser to send the Session ID (SID) cookie only if there is an SSL connection. This attribute is applicable only if you have enabled the
    use_encrypted_sid_and_cookie
    to (Yes). By default, this is turned off. If this flag is enabled, CA SDM can only be accessed through an SSL connection.
    For more information, see Options Manager, Security Options.