You must be wondering what is “secure logout”, we always hear about “secure login” and we ensure that login is secured by different means. You access key applications from various devices and logoff to believe that you have securely come out of the app and no one can get to your account. You better be ready to face the hard time!! Today’s advanced browsers attempt to provide you seamless experience and at times while creating good functional experience, compromise with security aspects. While you keep multiple browser tabs open, just logging off from one tab for an application may not be enough because unless browser is completely closed it may retain the cookie state and allow you get back to your original session. At times just going back on the page does the trick from where you have logged out.
So how do you ensure that logout really means that no one can get to your session? The simple and efficient way is to ensure that session cookie for that application is invalidated once you hit the logout button. On NetScaler if you are using the AAA-TM feature for authentication then NetScaler would set the NSC_TMAA cookie and if you are working with secure site then there is additional cookie NSC_TMAS. If you successfully invalidate these cookies at the event of logout and client browser honors the invalidation then you can be assured that your old session can no more be accessed. These cookies are set for the authentication domain on NetScaler thus any other application which is part of same authentication domain going through NetScaler will be affected. The key here is to set the expiration date in past which will ensure that client expires these cookies looking at old date.
Here is a sample configuration for OWA 2010 which will do this magic:
- add rewrite action owa2010_invalidate_tmas_cookie_act insert_http_header Set-Cookie “\”NSC_TMAS=xyz;Domain=.yourdomain.com;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\””
- add rewrite action owa2010_invalidate_tmaa_cookie_act insert_http_header Set-Cookie “\”NSC_TMAA=xyz;Domain=.yourdomain.com;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\””
- add rewrite policy owa2010_invalidate_tmas_cookie_pol “HTTP.REQ.URL.CONTAINS(\”owa/auth/logoff.aspx?Cmd=logoff&src=exch\”)” owa2010_invalidate_tmas_cookie_act
- add rewrite policy owa2010_invalidate_tmaa_cookie_pol “HTTP.REQ.URL.CONTAINS(\”owa/auth/logoff.aspx?Cmd=logoff&src=exch\”)” owa2010_invalidate_tmaa_cookie_act
- bind lb vserver owa2010 -policyName owa2010_invalidate_tmas_cookie_pol -priority 90 -gotoPriorityExpression 100 -type RESPONSE
- bind lb vserver owa2010 -policyName owa2010_invalidate_tmaa_cookie_pol -priority 100 -gotoPriorityExpression END -type RESPONSE
While binding these policies ensure that you do not have any other policy bound with same priority in the system on given bind points. While this approach is validated internally but you need to ensure that it works for your application deployment. The policies here are designed keeping OWA application server in mind and if you want this configuration to be effective for other applications then please ensure to change the policies with correct logout URL.
Simple and effective solution to ensure application security 🙂