Setup for requiring requests from an MPA
The use of HTTP headers to maintain session state involves the risk the session keys can be stolen and user sessions spoofed. In an environment involving clients with mobile devices, MSISDN telephone numbers are used as the values of the session keys. Unlike the large size and random nature of session cookie key values, telephone numbers have a smaller, more predictable, and therefore less secure format.
In a secure WebSEAL environment, HTTP header session keys are only valid when requests are proxied through an authenticated multiplexing proxy agent (MPA). The require-mpa stanza entry in the [session] stanza of the WebSEAL configuration file allows us to control this requirement.
A "yes" setting instructs WebSEAL to only accept HTTP headers from requests that are proxied through an authenticated multiplexing proxy agent (MPA). WebSEAL must authenticate the gateway itself before accepting proxied client connections. For example:
[session] require-mpa = yes
A "no" setting allows WebSEAL to accept HTTP headers under any condition. For example:
[session] require-mpa = no
A WebSEAL implementation with an MPA must adhere to the following conditions:
- To avoid conflicts, the MPA cannot use the same session key type as a client accessing WebSEAL through the MPA.
For example, if the MPA maintains sessions using session cookies, a client session must be maintained sessions by a different mechanism.
- To avoid conflicts, the MPA cannot use the same authentication method as a client accessing WebSEAL through the MPA.
For example, if the MPA uses forms authentication, the client must authenticate using some other mechanism, such as the external authentication interface. In a typical scenario, the MPA uses basic authentication or certificate authentication, and the client uses the external authentication interface.
If WebSEAL is upgraded to 6.1 or later from a previous release that supports HTTP header authentication, the default value for require-mpa changes from no to yes. If HTTP header authentication is being used, the upgrade causes authentication to fail until require-mpa is set to no.
Parent topic: Maintain session state with HTTP headers