Issue
What is the Network Management Card 2 (NMC2) "Require Authentication Cookie" option for?
Product Line
- Network Management Card 2 (NMC2) - AP9630/AP9630CH, AP9631/AP9631CH, AP9635/AP9635CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), Certain Audio/Video Network Management Enabled products.
Environment
- All serial numbers
- v6.X.X firmware
Cause
"Require Authentication Cookie" is a new option in NMC2 v6.X.X firmware.
Resolution
The intent of the cookie is to prevent web user interface (UI) session hijacking. It stores the unique session ID that is created when a user logs in to the web UI. (It does not contain any usernames or passwords.)
When the cookie is enabled, the user accessing the NMC2 must have the correct session ID (present in the web URL), the same remote IP address used to create the session, and the cookie present.
When the cookie is disabled or has been deleted, a user can copy and paste the same URL with session ID to a new tab in the same web browser without being required to log in. Because IP addresses can be spoofed, the cookie is a mechanism help prevent that possibility.The IP spoofer would not have the cookie and cannot log in, even though they were able to spoof the IP address or the user's original computer and somehow had obtained the unique session ID from the URL.
In summary, the URL user session ID and cookie session ID (if enabled) must match what was originally given upon logging in. With the cookie requirement off, no cookie check is done and just the remote IP must match and unique user session ID (from the URL) that is created upon log in.