PDA

View Full Version : restrict cookie - https call back from payment gateway



bctechnology
07-Oct-2009, 17:26
Hello there,

We found a situation where if we were to login via AM3, the https call
back from our payment gateway provider (Moneris) could not create a
cookie during the http response from them. It's not a problem if we
login to our ERP db directly but if we use AM3 (for SSO convenience)
method, it won't work.

Is this a security feature of AM3 and if so, how could I "enable" it?

Thanks

Chris


--
bctechnology
------------------------------------------------------------------------
bctechnology's Profile: http://forums.novell.com/member.php?userid=2999
View this thread: http://forums.novell.com/showthread.php?t=388569

afolli
07-Oct-2009, 21:16
Hi. I don't know how Moneris works. I suppose it uses AJAX to implement
the http callback. If it's the case, ensure the call includes the IPCZQ
and ZNPCQ cookies of Access Manager.

HTH,

Alessandro

bctechnology;1868404 Wrote:
> Hello there,
>
> We found a situation where if we were to login via AM3, the https call
> back from our payment gateway provider (Moneris) could not create a
> cookie during the http response from them. It's not a problem if we
> login to our ERP db directly but if we use AM3 (for SSO convenience)
> method, it won't work.
>
> Is this a security feature of AM3 and if so, how could I "enable" it?
>
> Thanks
>
> Chris


--
afolli
------------------------------------------------------------------------
afolli's Profile: http://forums.novell.com/member.php?userid=6964
View this thread: http://forums.novell.com/showthread.php?t=388569

bctechnology
07-Oct-2009, 23:26
"... IPCZQ and ZNPCQ cookies of Access Manager..."

wow, I never heard of this .. what are these cookies?


--
bctechnology
------------------------------------------------------------------------
bctechnology's Profile: http://forums.novell.com/member.php?userid=2999
View this thread: http://forums.novell.com/showthread.php?t=388569

afolli
08-Oct-2009, 00:56
IPCZQ is the session cookie and ZNPCQ is the session persistence
cookie.
Http requests should contain something like this:

Cookie: ZNPCQ003-32303700=78b35fd0;
IPCZQX03a36c6c0a=00000200c0a85b432c7255a99760070c0 a93a91f;

Alessandro


bctechnology;1868632 Wrote:
> "... IPCZQ and ZNPCQ cookies of Access Manager..."
>
> wow, I never heard of this .. what are these cookies?


--
afolli
------------------------------------------------------------------------
afolli's Profile: http://forums.novell.com/member.php?userid=6964
View this thread: http://forums.novell.com/showthread.php?t=388569

bctechnology
08-Oct-2009, 17:46
Alessandro,

Yes I read this on the docs but are these cookies specific to IDP and
AM3 only? The moneris or any web app I guess shoots back their own
cookie. This is the one I'm wondering about if it does allow the
creation of these cookies by the app itself or not.

Not so clear or clear as mud =)


--
bctechnology
------------------------------------------------------------------------
bctechnology's Profile: http://forums.novell.com/member.php?userid=2999
View this thread: http://forums.novell.com/showthread.php?t=388569

afolli
09-Oct-2009, 08:26
Hi. Yes, these cookies are specific to AM. I don't know how Moneris
exactly works, I have illustrated a possible issue that causes an http
call back to fail.
Anyway, Access Manager does not block application cookies.

Alessandro

bctechnology;1869216 Wrote:
> Alessandro,
>
> Yes I read this on the docs but are these cookies specific to IDP and
> AM3 only? The moneris or any web app I guess shoots back their own
> cookie. This is the one I'm wondering about if it does allow the
> creation of these cookies by the app itself or not.
>
> Not so clear or clear as mud =)


--
afolli
------------------------------------------------------------------------
afolli's Profile: http://forums.novell.com/member.php?userid=6964
View this thread: http://forums.novell.com/showthread.php?t=388569

bctechnology
15-Oct-2009, 18:26
It depends on how the application creates the cookies could be a factor.
In this case via HTTP callback. We notice that because the application
was able to create cookies when it was behind iChain but after we
switched over, that is no longer the case, so we had to create a table
for the application to write to the table in order to store the values
instead via cookies.


--
bctechnology
------------------------------------------------------------------------
bctechnology's Profile: http://forums.novell.com/member.php?userid=2999
View this thread: http://forums.novell.com/showthread.php?t=388569