Unsafe cache control policy with CA SSO Web agent

Document ID:  TEC1482607
Last Modified Date:  08/09/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.51
  • CA Single Sign-On:Release:12.52
  • CA Single Sign-On:Release:12.51 CA SiteMinder
  • CA Single Sign-On:Release:12.52 CA SiteMinder
  • CA Single Sign-On:Release:12.52 SP1
  • CA Single Sign-On:Release:12.52 SP2

Components

  • SITEMINDER -WEB AGENT FOR APACHE:SMAPC
  • SITEMINDER -WEB AGENT FOR IIS:SMIIS
Introduction:

How to instruct Web agent to implement safe caching policies ?

Background:

Vulnerability penetration test detected a potentially unsafe cache control policy for secure content. While content transmitted over an SSL/TLS channel is expected to guarantee confidentiality, administrators must nonetheless ensure that caching of sensitive content is disabled unless absolutely needed. The misconception that secure content caching is disabled by default by user-agents could cause the application to fail the organization’s cache policy by leaving the secure content cacheable by browsers. Unsafe specification such as Cache-Control: public would instruct the browser to persistently cache the content on the hard drive. Caching can be prevented by specifying one of the following three directives in the response 
headers 
• Cache-control: private 
• Cache-Control: no-cache 
• Cache-Control: no-store

Environment:
Web Agent : r12.5 and above
Instructions:

To prevent this vulnerability you should set ExpireForProxy ACO parameter to YES

When ExipreForProxy=YES, web agent inserts following HTTP headers in the response. 

>Expires : Set to Date in the past, which prevents page from being cached by a proxy, as dictated by the HTTP 1.0 specification 
>Cache-control:no-cache 
Note :

Now, this is all good for normal resources but there are certain resources which you might want to still be cached. For e.g. .gif/.jss files which doesn’t change normally and also need not be protected. 
If these resources are not cached on the client side, they will put an unnecessary overhead in the network traffic. 

To ensure that these files are cached (exception to no-cache setting), here is what you have to do : 
> Include the files you want to be cached in IgnoreExt. So IgnoreExt should contain .gif/.jss file extensions. 
> Set AllowCacheHeaders=YES 

When you make above changes this is what happens : 
For any file included in IgnoreExt, web agent will not insert no-cache Cache-control in the response header

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >