Adobe Experience Manager Sites & More

a_mn1 · 7/17/18

Hello Team, Can someone let me know how to set the saml_request_path cookie as httponly and secure in aem . Our website was given for webscan and this is the response that we got in webscan report.

Attack Request:

POST /saml_login HTTP/1.1

Host: <myhost>

Connection: keep-alive

Content-Length: 10825

Cache-Control: max-age=0

Origin: <>

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

...

..

etc

&

Attack Response:

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Keep-Alive: timeout=5, max=100

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: https://<myapp>.html

Server: XYZ

Set-Cookie: login-token=abcde%3acrx.default; Path=/; HttpOnly; Secure

Set-Cookie: saml_request_path="";Version=1;Path=/;Expires=Tue, 17-Jul-2018 11:08:09 GMT;Max-Age=1

X-Content-Type-Options: nosniff

wimsymons · 7/18/18

Make sure your sslfilter is configured correctly if you are using ssl termination in the dispatcher or load balancer.

See AEM redirecting user back to http if accessed through SSL terminated Load Balancer for details.

We experienced the same issue. When the sslfilter is set correctly, the cookie becomes secure as well.

View solution in original post

wimsymons · 7/18/18

Make sure your sslfilter is configured correctly if you are using ssl termination in the dispatcher or load balancer.

See AEM redirecting user back to http if accessed through SSL terminated Load Balancer for details.

We experienced the same issue. When the sslfilter is set correctly, the cookie becomes secure as well.

wimsymons · 7/18/18

Do I need to mention your site should be on https?

Adobe Experience Manager Sites & More

Set saml_request_path cookie as httponly & secure

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe