72 Novell Access Manager 3.1 SP1 Access Gateway Guidenovdocx (en) 19 February 2010/etc/init.d/novell-vmc stop/etc/init.d/novell-vmc start2.5.2 Securing the Proxy Session CookieThe proxy session cookies store authentication information and other information in temporarymemory that is transferred between the browser and the proxy. These cookies are deleted when thebrowser is closed. However if these cookies are sent through a non-secure channel, there is a threatof hackers intercepting the cookies and impersonating a user on Web sites. To stop this fromhappening, you can use the following configuration options: Set an authentication cookie with a secure keyword for HTTP: You can configure theAccess Gateway to force the HTTP services to have the authentication cookie set with thekeyword secure.To enable this option:1. In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy /Authentication.2. Enable the Force Secure Cookies option, then click OK twice.3. Update the Access Gateway.This option is used to secure the cookie when the Access Gateway is placed behind an SSLaccelerator, such as the Cisco SSL accelerator, and the Access Gateway is configured tocommunicate by using only HTTP Prevent cross-site scripting vulnerabilities: Cross-site scripting vulnerabilities in Webbrowsers allow malicious sites to grab cookies from a vulnerable site. The goal of such attacksmight be to perform session fixation or to impersonate the valid user. You can configure theAccess Gateway to set its authentication cookie with the HttpOnly keyword, to prevent scriptsfrom accessing the cookie.To enable this option:1. In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy /Authentication.2. Enable the Force HTTP-Only Cookies option, then click OK twice.3. Update the Access Gateway. Prevent the browser from sending cookies on a non-HTTPS channel: You can configurethe Linux Access Gateway Appliance to set its authentication cookie with the secure keywordin order to prevent the browser from sending this cookie on a non-HTTPS channel. To enablethis, use the following touch file:/var/novell/.EnableSecureCookieThis file works when the Force Secure Cookie option is disabled in the AdministrationConsole.NOTE: This works only for HTTPS services. When this setting is enabled, you cannotconfigure the Access Gateway to have an HTTP service that requires authentication, or create apolicy that depends on the authentication cookie.