Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 11867 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF/OTP combination couses session disconnects due to Sophos bug

MartinTol

Using WAF and OTP are cousing session disconnects. The solution will come in release 9.4xx witch has no official release date. OTP is a paid extra service on the utm. Sophos is leaving me in the cold. We have spend a lot of money on the issue, and need to spend extra money on een alternative solution. Can we get compensation for these costs?

issue:http://sophos.com/kb/117759

Sometimes OTP authentication for WAF didn't work. When handling a client request, the current process has to have the data structure holding all known user sessions in it's memory. If this is not the case, no user session for the user currently being handled will be found and a new one will be initiated. During this initialization process, the user's credentials will be verified against AUA. In case of OTP this will fail since the user's client sent a session cookie containing a password with an old OTP token.



This thread was automatically locked due to age.
Parents
  • One of my customers seems to have the same problem - should be fixed in 9.370

    I'll call support now.


    ID34447 9.306 Issue with WAF Rev. Auth. and OTP
    ------------------------------------------------------------------------
    Description: Sometimes OTP authentication for WAF didn't work.

    When handling a client request, the current process has to
    have the data structure holding all known user sessions in
    it's memory. If this is not the case, no user session for
    the user currently being handled will be found and a new
    one will be initiated. During this initialization process,
    the user's credentials will be verified against AUA. In
    case of OTP this will fail since the user's client sent a
    session cookie containing a password with an old OTP
    token.
    Workaround: Please contact support referring to this bug ID to provide
    a workaround for that issue.
    Fixed in: 9.370
Reply
  • One of my customers seems to have the same problem - should be fixed in 9.370

    I'll call support now.


    ID34447 9.306 Issue with WAF Rev. Auth. and OTP
    ------------------------------------------------------------------------
    Description: Sometimes OTP authentication for WAF didn't work.

    When handling a client request, the current process has to
    have the data structure holding all known user sessions in
    it's memory. If this is not the case, no user session for
    the user currently being handled will be found and a new
    one will be initiated. During this initialization process,
    the user's credentials will be verified against AUA. In
    case of OTP this will fail since the user's client sent a
    session cookie containing a password with an old OTP
    token.
    Workaround: Please contact support referring to this bug ID to provide
    a workaround for that issue.
    Fixed in: 9.370
Children
No Data
Unfiltered HTML