SDK exception handling in function SSODecodeToken

Document ID : KB000009139
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Custom agent decoding SMESSION (SSODecodeToken) that catches exceptions for different events then feeds the different events back to the client can result in leaking information concerning the SMSESSION

Environment:
Agent API decoding SMSESSION cookie using SSODecodeToken
Cause:

Two problems 

Client code can be secured by not passing back information on different failure codes (less specific messages)

SSO SDK bug in exception handling must be fixed 

Resolution:

Agent SDK exception handling fix will be addressed in bug DE333103

 

Additional Information:

Additional steps that can be taken to enhance security even more:

- Use 'dynamic agent keys' to rotate the keys. Switching to 'dynamic agent keys' is seamless and there is no need for users to re-authenticate or for CA SSO to re-encrypt any data.

- Switch to using FIPS Mode (Employs AES cipher, 128-bit key with HMAC-SHA256)