Encrypt Session IDs to Address Vulnerability Issues
CA Service Desk Manager (SDM) uses the Session ID for authenticating each request from the user. This Session ID is sent back and forth through the web browser. An attacker can auto-generate the Session ID and can gain unauthorized access to CA SDM, if it matches any of active SIDs in SDM. An attacker can sniff the SDM web URL using man-in-the-middle attack and can replay the URL to gain unauthorized access to SDM. Using encrypted Session ID and cookie for authenticating user requests may have some minimal performance impact on SDM.
The following attributes are added in Options Manager to support encrypted Session IDs:
- use_encrypted_sid_and_cookie (optional)Use the encrypted Session ID and cookie to prevent spoofing and Man-in-the-middle attack. By default, this attribute is disabled. If you want to have enhanced CA SDM security, this attribute can be enabled (Yes).
- force_browser_to_send_cookie_only_in_ssl_connection(optional)Force the browser to send the Session ID (SID) cookie only if there is an SSL connection. This attribute is applicable only if you have enabled theuse_encrypted_sid_and_cookieto (Yes). By default, this is turned off. If this flag is enabled, CA SDM can only be accessed through an SSL connection.For more information, see Options Manager, Security Options.