Dan Kinder 31.Mar.11 05:38 PM a Web browser Applications development All Releases All Platforms
We have a Domino Application that has session authentication turned on. After running AppScan (with Policy Tester 18.104.22.168) against the application via the QuickScan Portal, we have a High severity issue that states "SESSION IDENTIFIER NOT UPDATED". the remediation task is "Do not accept externally created session identifiers". The post includes the following which is the item being flagged: "Set-Cookie: DomAuthSessId=204D8AD866DECB88C7251027B2361C77;"
I think the reason is that a potential hacker could attempt to steal the cookie/session id and therefore the user's credentials.
The application code that we have does not control the session or session ID, yet the scan is reporting that the way Domino handles the session is a security vulnerability.
After looking into the issue, it appears that with authentication turned on, Domino authenticates the first request with a username and password, then just uses a session ID, stored in a cookie to verify the users credentials.
So, my question...
Is this a behavior that I can control via a configuration change or is this just the way Domino handles authentication and the Session Identifiers? I need some documentation that verifies that this is Domino Product related and not code related so we can get an exception for this issue. If there is some way to change the configuration, then I need to make that change and re-scan the app.
Thank you for any help in getting this verified...