Question
Pegasystems Inc.
JP
Last activity: 7 Apr 2016 9:39 EDT
Requirements for WebSEAL SSO integration
Hi,
We are about to build SSO integration with WebSEAL on Pega 7.2/WebLogic 12.1.3. I have provided the following two settings that Pega requires to WebSEAL team but they said these are not acceptable from their security policies.
1.
[script-filtering]
script-filter=yes
rewrite-absolute-with-absolute=yes
2.
[preserve-cookie-name]
#PRPC URL Obfuscation
name=JSESSIONID
#PRPC Visio/Word/Excel Compatibility
name=Pega-RULES
My question is, if these can't be accepted, does that mean we can't accomplish WebSEAL SSO integration or do we still have any alternatives?
They also have other regulations as follows:
- URL written in application must be in relative path.
- Do not use <BASE> tag.
- If application uses cookie, it has to be set in HTTP header. Cookie that has no value can't be used.
- If browser sends data to web server, use POST method as much as possible.
- Do not build application that uses Content-length: header.
- Use double quotation for URL for specifying tag.
- URL written in Java Script has to be in relative path.
- Do not use <> for variables.
etc
Thanks,
Kensho
Pegasystems Inc.
US
Chris Koyl, please take a look when you get a chance and reply back?
We would need above Security Policy in Pega as we deal with many absolute URL's in request & response.
Background: WebSEAL operating in a traditional request/response paradigm
WebSEAL is a reverse proxy that uses URL rewriting to provide some of its core functionality. The role of a reverse proxy is to provide a centralized point to receive HTTP requests on behalf of a back-end Web server. When an HTTP request is received by the reverse proxy, it uses a junction (similar to a UNIX® mount) in order to determine to which back-end Web server to pass the request (see Figure 1-1). This generally requires that the URL be re-written in order to make sense to the Web server. The re-written request is then sent on to the back-end server. The back-end Web server accepts the request as a standard HTTP GET request and processes it accordingly.
Figure 1-1. Reverse proxy request processing
The second point where the reverse proxy acts as a mediator is by filtering the response from the back-end Web server to replace all URLs to include the junction details (see Figure 1-2). This ensures that all links in the returned HTML page point to valid URLs.
We would need above Security Policy in Pega as we deal with many absolute URL's in request & response.
Background: WebSEAL operating in a traditional request/response paradigm
WebSEAL is a reverse proxy that uses URL rewriting to provide some of its core functionality. The role of a reverse proxy is to provide a centralized point to receive HTTP requests on behalf of a back-end Web server. When an HTTP request is received by the reverse proxy, it uses a junction (similar to a UNIX® mount) in order to determine to which back-end Web server to pass the request (see Figure 1-1). This generally requires that the URL be re-written in order to make sense to the Web server. The re-written request is then sent on to the back-end server. The back-end Web server accepts the request as a standard HTTP GET request and processes it accordingly.
Figure 1-1. Reverse proxy request processing
The second point where the reverse proxy acts as a mediator is by filtering the response from the back-end Web server to replace all URLs to include the junction details (see Figure 1-2). This ensures that all links in the returned HTML page point to valid URLs.
Figure 1-2. Reverse proxy response processing
Before you can fully consider how WebSEAL will work with AJAX applications, it is essential to understand the fundamental rules WebSEAL uses to filter URL in the HTML content. These rules vary depending on the type of junction deployed in the environment. The following sections address each type of URL.
Filter rules for relative URLs
Relative URLs are always handled appropriately by the browser. Therefore, WebSEAL does not filter relative URLs.
Table 1. Example - Relative URLs
| Browser <-> IBM Tivoli WebSEAL | WebSEAL <-> Back-end Web server | |
|---|---|---|
| Request | GET "example.html" | GET "example.html" |
| Response | <html> <head> <title>Example Page</title> </head> <body> <a href="../sample.html">Sample link</a> </body> </html> |
<html> <head> <title>Example Page</title> </head> <body> <a href="../sample.html">Sample link</a> </body> </html> |
Filter rules for server-relative URLs
WebSEAL must add the junction name to the path of server-relative URLs that refer to resources located on junctioned servers.
Table 2. Example: Server relative URLs
| Browser <-> IBM Tivoli WebSEAL | WebSEAL <-> Back-end Web server | |
|---|---|---|
| Request | GET "/junction/html/example.html" | GET "/html/example.html" |
| Response | <html> <head> <title>Example Page</title> </head> <body> <a href="/junction/html/sample.html">Sample link</a> </body> </html> |
<html> <head> <title>Example Page</title> </head> <body> <a href="/html/sample.html">Sample link</a> </body> </html> |
Filter rules for absolute URLs
WebSEAL must add the junction name to the path of the absolute URLs that refer to resources located on junctioned servers. By default, WebSEAL changes the absolute URL into a server-relative URL. The rewrite-absolute-with-absolute parameter determines if the absolute URL is used. This parameter is located in the WebSEAL configuration file, which is by default located at WEBSEAL_HOME/etc/webseald-instance.conf
Table 3. Example: Absolute URLs
| Browser <-> IBM Tivoli WebSEAL | WebSEAL <-> Back-end Web server | |
|---|---|---|
| Request | GET "http://www.ibm.com/junction/html/example.html" | GET "http://www.backend.com/html/example.html" |
| Response | <html> <head> <title>Example page</title> </head> <body> <a href="/junction/html/sample.html">Sample link</a> </body> </html> |
<html> <head> <title>Example Page</title> </head> <body> <a href="http://www.backend.com/html/sample.html"> Sample link</a> </body> </html> |
| Response (rewrite-absolute- with-absolute=yes) | <html> <head> <title>Example page</title> </head> <body> <a href="http://www.ibm.com/junction/html/sample.html"> Sample link</a> </body> </html> |
<html> <head> <title>Example page</title> </head> <body> <a href="http://www.backend.com/html/sample.html"> Sample link</a> </body> </html> |
Reference: https://developer.ibm.com/product-doclinks/
Pegasystems Inc.
JP
Hi Naresh,
>We would need above Security Policy in Pega as we deal with many absolute URL's in request & response.
Could you give some examples which support your statement?
Chunzhi
Please use Fiddler to capture traffic during log-in and other scenarios.
Please use Fiddler to capture traffic during log-in and other scenarios.
<script> var uwtClientStart = new Date().getTime(); if (!pega) var pega = {}; if (!pega.desktop) { pega.desktop = {}; pega.d = pega.desktop; } pega.desktop.loadTime = new Date().getTime(); pega.d.csrfToken = "" ; pega.d.obfuscateKey = "0202aea3fa260912665deffec833f292" ; pega.d.pyUID = "Admin@cars"; pega.d.pxReqURI = "/prweb/X7yZzKI3vuUpvtYg5c4c4NXizZZURkUw*/!STANDARD"; pega.d.pxHelpURI = "http://lreddn1w7hyd:8719/prhelp"; pega.d.pxPdnURI = "https://collaborate.pega.com/discussion/developer-portal-designer-studio-not-loading-properly-after-upgrading-pega-719-pega-61"; var requestHomeURI = "http://lreddn1w7hyd:8719/prweb/X7yZzKI3vuUpvtYg5c4c4NXizZZURkUw*"; pega.d.currAG ="CarsAppl:Administrators"; pega.d.isPortlet = false; pega.d.desktopType = "User"; pega.d.desktopSubType = "Composite"; pega.d.pzUnitTestPKey = "Developer"; var bEncryptURLs = false; pega.desktop.isSpaceHarness = "yes"; pega.desktop.availableSpaces = new Array(); pega.desktop.availableSpaces.push('NewPortal'); pega.d.productionLevel = "2"; pega.d.activeSpaceName = "NewPortal"; var DesktopUserSessionInfo_gStrOperatorId = "Admin@cars"; var DesktopUserSessionInfo_gStrUserName = "Administrator"; var DesktopUserSessionInfo_gStrCurrentWorkPool = "Cars-CarsAppl-Work"; var DesktopUserSessionInfo_gStrStartPage = "NewPortal"; var DesktopUserSessionInfo_gStrDesktopType = "User"; var gLayoutType = "header"; var gOverridePreferences = "false"; var gPersonalRuleSetName = "Admin@cars"; var gWelcomeHTML = "WelcomeScreen"; var gPortalWarnDirty=true; var gPDNQueryURI="https://collaborate.pega.com/discussion/developer-portal-designer-studio-not-loading-properly-after-upgrading-pega-719-pega-61"; var gCurrentAccessGroup="CarsAppl:Administrators"; var gRecoverPreferences = "true"; var gToolsSpaceExists = false; var gRulesSpaceExists = false; var DesktopUserSessionInfo_isAccessible = false; var gIsPegaDeveloper = false; var DesktopUserSessionInfo_gRedirectOnTimeout = false; var gAccessGroupList="CarsAppl:Administrators,"; gAccessGroupList=gAccessGroupList.substring(0,gAccessGroupList.length-1); gAccessGroupList=gAccessGroupList.split(","); var gWorkPoolList=""; gWorkPoolList=gWorkPoolList.substring(0,gWorkPoolList.length-1); gWorkPoolList=gWorkPoolList.split(","); var gApplicationRuleSetsList="CarsAppl,CarsApplInt,Cars,CarsInt,UI-Kit-7,"; gApplicationRuleSetsList=gApplicationRuleSetsList.substring(0,gApplicationRuleSetsList.length-1); gApplicationRuleSetsList=gApplicationRuleSetsList.split(","); var localeDirection = "ltr"; var gProjectManagementEnabled = false; var DesktopUserSessionInfo_gStrOperatorId = "Admin@cars"; var bClientValidation = 'true'; var bExpressionCalculation= 'true'; function configure_rule_obj_validate(){} var form_submitCantProceed = "Please correct flagged fields before submitting the form!"; var date_patterns= ["EEEE, MMMM d, yyyy","yyyyMMdd","MMMM d, yyyy","yyyy-MM-dd","MMMM d, yyyy","MMM d, yyyy","M/d/yy","M/d/yy","M/d/yyyy","yyyy/M/d"];var datetime_patterns= ["EEEE, MMMM d, yyyy","yyyyMMdd","MMMM d, yyyy","yyyy-MM-dd","MMMM d, yyyy","MMM d, yyyy","M/d/yy","M/d/yy","M/d/yyyy","MMM d, yyyy h:mm:ss a","yyyyMMddTHHmmss.SSS z","yyyyMMddTHHmmss.SSS","yyyy-MM-ddTHH:mm:ss","yyyy-MM-ddTHH:mm:ss.SSSZ","EEEE, MMMM d, yyyy h:mm:ss a z","MMM d, yyyy h:mm:ss a","M/d/yy h:mm a","M/d/yy h:mm a","M/d/yyyy h:mm a","MMMM d, yyyy h:mm:ss a z"];var time_patterns= ["h:mm:ss a","h:mm:ss a","HH:mm:ss","HH:mm:ss.SSSZ","HHmmss","h:mm:ss a z","h:mm:ss a z","h:mm:ss a","h:mm a"];var decimal_separator = ".";var grouping_separator = ",";var time_patterns_default = ["HH:mm", "h:mm", "HHmm"];time_patterns = time_patterns.concat(time_patterns_default);var amPmStrings =["AM","PM"];var months =["January","February","March","April","May","June","July","August","September","October","November","December"];var weekdays =["","Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"];var shortWeekdays =["","Sun","Mon","Tue","Wed","Thu","Fri","Sat"]; var date_separator = "/"; var date_datePos = 2; var date_monthPos = 1; var date_yearPos = 3; var date_dateMsgStr = "is not a valid date value"; var time_timeMsgStr = "is not a valid time value"; var time_use24HourFormat = false; var date_DateTimeMsgStr = "is not a valid date/time value"; var numeric_decimalMsgStr = "is not a valid decimal value"; var numeric_integerMsgStr = "is not a valid integer value"; var numeric_doubleMsgStr = "is not a valid double value"; var boolean_truefalseMsgStr = "is not a valid true/false value"; var required_requiredMsgStr = "Value cannot be blank"; var ruleEditValidate_isPosDecimalMsgStr = "Invalid input - reenter a decimal number greater than 0"; var ruleEditValidate_isNonNegativeMsgStr = "Enter a non-negative number"; var ruleEditValidate_isUrgencyValueMsgStr = "Invalid input - enter a number between 0 and 100"; var ruleEditValidate_isValidEmailAddressMsgStr = "Enter a valid email address"; var ruleEditValidate_isValidPhoneNumberMsgStr = "Enter a valid phone number"; var ruleEditValidate_isFutureDateMsgStr = "Enter a valid future date"; var ruleEditValidate_isNotFutureDateMsgStr = "Enter a valid past date"; var ruleEditValidate_isAlphabeticMsgStr = "Enter a valid alphabetic value"; var ruleEditValidate_isAlphaNumericMsgStr = "Enter a valid alphabetic or numeric value"; var ruleEditValidate_invalidFormatMsgStr = "The value entered is not matching with the format"; var ruleEditValidate_isAlphaNumericSpaceMsgStr = "Enter a valid Alphanumeric or space Value" ; var length_minCharsMsg1 = "The field"; var length_minCharsMsg2 = "should be at least"; var length_minCharsMsg3= "characters long"; var filterPanelRangeMsg1 =": This results in an invalid numeric range"; var filterPanelRangeMsg2 =": This results in an invalid Date range"; function configure_rule_declareExpressions(){rule_declare_expression('$PpyDisplayHarness$ppyShowCaseDefinitions',new Array('$PpyDisplayHarness$ppyCaseTypeClassesForDataExplorer'));rule_declare_expression('$PpyDisplayHarness$ppxInsName',new Array('$PpyDisplayHarness$ppxTabLabel'));rule_declare_expression('$PpyDisplayHarness$ppxObjClass',new Array('$PpyDisplayHarness$ppyRuleFormType','$PpyDisplayHarness$ppyRuleHarness'));} function deferredFieldValues() { pega.u.d.Locale = "en_US"; /* Locale of the active requestor - HFIX-4964 */ pega.u.d.TimeZone = "America/New_York"; /* TimeZone of the active requestor */ pega.u.d.inStandardsMode = true; pega.u.d.fieldValuesList = new Hashtable(); pega.u.d.fieldValuesList.put("Continue_work_Warning",'Continuing will replace your work in progress.'); pega.u.d.fieldValuesList.put("Wish_to_Continue",'Do you wish to continue?'); pega.u.d.fieldValuesList.put("ApplyFilter",'Apply'); pega.u.d.fieldValuesList.put("Please_select_a_row",'Please select a row'); pega.u.d.fieldValuesList.put("CancelFilter",'Cancel'); pega.u.d.fieldValuesList.put("enterToExpand",'press enter to expand row'); pega.u.d.fieldValuesList.put("enterToCollapse",'press enter to collapse row'); pega.u.d.fieldValuesList.put("CollapseNodeTitle",'Collapse to hide child rows'); pega.u.d.fieldValuesList.put("ExpandNodeTitle",'Expand to show child rows'); pega.u.d.fieldValuesList.put("FeatureOnlyAvailableOnMobileApp",'This is only available in a mobile app.'); pega.u.d.fieldValuesList.put("ScanOnlyAvailableOnMobileApp",'Barcode scanning is only available when in a mobile app.'); pega.u.d.fieldValuesList.put("FileSizeExceedsMessageOnMobileApp",'File size exceeds attachment size limit of [0] MB.'); pega.u.d.fieldValuesList.put("GetDirectionsActionMyLocation",'My Location'); pega.u.d.fieldValuesList.put("GetDirectionsActionCurrentLocation",'Current Location'); pega.u.d.fieldValuesList.put("WebApiNotReady",'The framework is loading, please try again after sometime.'); pega.u.d.fieldValuesList.put("RequestHasBeenSent",'Your request has been sent. Someone will be in contact with you soon about your issue.'); pega.u.d.fieldValuesList.put("RequestSentAsSoonAsReconnect",'Your request will be sent as soon as you reconnect. Someone will be in contact with you soon about your issue.'); pega.u.d.fieldValuesList.put("ErrorSendingRequest",'An error occured when sending your request'); pega.u.d.fieldValuesList.put("OldMenuNotSupportedInHC",'You are attempting to invoke a deprecated menu control which is not supported in the Pega Mobility Cient. Please contact your system administrator to have this fixed.'); pega.u.d.subscriptError= "subscript is not valid or is already in use."; pega.u.d.expandCollapseText = "Click to expand/collapse"; pega.u.d.actionIFrameReadyState = false; pega.u.d.workLabel= 'Data-Portal-DesignerStudio'; pega.u.d.isAccessible = false; pega.u.d.bClientValidforReviewAction = true; pega.u.d.bWarnBeforeChangingWindow = false; pega.u.d.bShowFramePopup = true; pega.u.d.fieldValuesList.put("CLICK_TO_LOAD_TEXT",'Click here to load'); /* BUG-84746 added localization for some field values */ pega.u.d.fieldValuesList.put("REPLACE_WORKITEM_WARNING",'You are about to close an open work item which has changes that have not been saved.'); pega.u.d.fieldValuesList.put("PRESS_OK_TO_CONTINUE",'Press OK to continue and lose your changes.'); pega.u.d.fieldValuesList.put("PRESS_CANCEL_TO_RETURN",'Press Cancel to return to the modified form.'); pega.u.d.fieldValuesList.put("Error",'Error'); pega.u.d.fieldValuesList.put("Show next error",'Show next error'); pega.u.d.fieldValuesList.put("Empty Assignment Key",emptyAssignmentKeys); pega.u.d.fieldValuesList.put("Empty Work Item ID",emptyWorkId); pega.u.d.fieldValuesList.put("Empty Work Item ID",emptyWorkHandle); pega.u.d.fieldValuesList.put("Has Been Submitted",hasBeenSubmitted); pega.u.d.fieldValuesList.put("Sync To Server",syncToServer); pega.u.d.formErrorType = "NONE"; pega.u.d.fieldErrorType = ""; pega.u.d.alwaysShowFormLevelErrors = ""; pega.u.d.pyCustomError = "DisplayRFHarnessErrors"; pega.u.d.bExcludeLegacyJS= "true"; pega.u.d.portalID = ""; pega.u.d.portalName = "Developer"; pega.u.d.documentKey = ""; pega.u.d.documentTitle = ""; pega.u.d.documentTooltip = ""; pega.desktop.pyRequestorToken = '1'; pega.desktop.pxClientSession = 'H348DD1CF9C594830D5D95CD65387E70A'; pega.u.d.isHybridClient = ''; /* Save off skin name returned by WorkFormStyles -> GetWorkStyle activity for use by tools such as the UI inspector */ pega.u.d.skinRuleName = 'pzDesignerStudio'; pega.u.d.url = '/prweb/X7yZzKI3vuUpvtYg5c4c4NXizZZURkUw*/!STANDARD?&pzTransactionId=&pzFromFrame=&pzPrimaryPageName=pyDisplayHarness'; pega.u.d.primaryPageName ='pyDisplayHarness'; pega.u.d.keepFixedVisible = ""; pega.u.d.harnessType = 'screen-layout'; pega.u.d.topHarness = 'yes'; pega.u.d.formPost = ""; if(pega.u.d.harnessType && pega.u.d.harnessType == 'layout'){ pega.u.d.fieldValuesList.put("EXPAND_COLLAPSE_MESSAGE",'Click to expand/collapse'); } if(pega.u.d.keepFixedVisible == "") pega.u.d.keepFixedVisible = true; pega.u.d.AccordionAnimSpeed = 1; pega.util.Event.addListener(window,"beforeunload",pega.u.d.harnessOnBeforeUnload); pega.u.d.attachOnload(pega.u.d.harnessOnLoad, false, pega.u.d); pega.util.Event.addListener(window,"unload",pega.u.d.harnessOnUnload,pega.u.d, true); pega.u.d.processHarnessType = "Display"; var topWin = pega.desktop.support.getDesktopWindow() ; if(window == topWin && window.localStorage){ localStorage.setItem("pyRequestorToken"+pega.desktop.pxClientSession,pega.desktop.pyRequestorToken); localStorage.setItem("pyRequestorToken",pega.desktop.pyRequestorToken); } try{ /* BUG-128246 : Checking if DC is Present*/ var workarea = topWin.document.getElementById("workarea"); if(topWin && topWin.pega.u.d.harnessType && topWin.pega.u.d.harnessType == "layout" && workarea != null){ pega.u.d.stretchHarness = true; } }catch(e){ } var windowName =''; function getWindowName(){ winName = window.name; return winName; } function setWindowName(strName) { if (strName == null || strName == "") strName = 'Composite_H348DD1CF9C594830D5D95CD65387E70A'; window.name = strName; } var clientWindowName = getWindowName(); if ((windowName != "") && (windowName != clientWindowName)) { if(!window.localStorage){ setWindowName(clientWindowName); var arguments = new Array(); arguments[0]="current"; arguments[1]="@baseclass"; arguments[2]="pzMultipleWindowWarning"; arguments[3]=""; arguments[4]=""; arguments[5]="pyDisplayHarness"; arguments[6]="yes"; arguments[7]=""; arguments[8]="No"; arguments[9]=""; arguments[10]=null; arguments[11]=""; arguments[12]=""; arguments[13]=""; pega.d.showHarnessWrapper.apply(pega.d, arguments); } } else { setWindowName(clientWindowName); } pega.u.d.fieldValuesList.put("STR_COLLAPSE","Click to collapse this pane."); pega.u.d.fieldValuesList.put("STR_EXPAND","Click to expand this pane."); pega.u.d.url = '/prweb/X7yZzKI3vuUpvtYg5c4c4NXizZZURkUw*/!STANDARD?&pzTransactionId=&pzFromFrame=&pzPrimaryPageName=pyDisplayHarness'; } var gStrExpandAllText = 'Expand all'; var gStrCollapseAllText = 'Collapse All'; var gStrClickToExpandText = 'Disclose'; if (gStrClickToExpandText == "") { gStrClickToExpandText = 'Click to expand '; } var gStrClickToCollapseText = 'Hide'; if (gStrClickToCollapseText == "") { gStrClickToCollapseText = 'Click to collapse '; } var gStrClickToCloseText = 'Click to close'; var gStrFeatureNotSupportedInBrowser = 'This feature is not available in your browser'; var gStrBack = 'Back'; var NoModalInModal = 'Only one modal dialog can be opened at a time.'; var NotInAction= 'Local actions are available only when you are performing the assignment.'; var LocalNotInScreen='Local actions cannot be performed on a screen flow'; var FlowActionNotInAssignment='This flow action is not configured in the assignment'; var localCorrectErrors='Please correct current errors to perform this action.'; var bActionIframe = ''; var strHarnessMode = ""; var strSaveText = "Saving..."; var strSubmittingText="Submitting..."; var strHarnessPurpose = "pzStudio"; var busyIndText = ""; var strLoadingMsg = 'Loading...'; var strPageName = "pyDisplayHarness"; /*Max attachment size for mobile*/ var maxAttachmentSizeBytes = parseInt("0"); /* BUG-163412 - localization for alerts in desktopwrapper api. - kumad1*/ var emptyAssignmentKeys = 'Empty Assignment Key'; var emptyWorkId = 'Empty Work Item ID'; var emptyWorkHandle = 'Empty Work Item Handle'; var hasBeenSubmitted = 'has been submitted.'; var syncToServer = 'The information will be synched to the server when you're online.'; /*END : BUG-163412 - localization for alerts in desktopwrapper api.*/ /* BUG-84746 added localization for some field values */ var systemNodeID = "8bd6720b5bca23cbf8b708d940ce22c4"; var systemName = "pega"; var applicationName = "CarsAppl"; var strHarnessClass = "Data-Portal-DesignerStudio"; var strKey = ""; var bReadOnly = "0"; var strPrimaryPage = "pyDisplayHarness"; var strPyID=""; var strPyLabel="CarsApplication"; var strPropertyName= ""; var indexInList =0; var strDisplayHarnessParms = ""; function getNextWorkItem(event) { event = (event == undefined)?window.event : event; var userID = "Admin%40cars"; var safeURL = new SafeURL(); safeURL.put("pyActivity", "GetNextWork"); safeURL.put("UserIdentifier", userID); doFormSubmit(safeURL,null,null,event); } var confirm_harness_loaded = false; </script>
Pegasystems Inc.
JP
Hi Naresh,
I don't get your point.
Could you be more specific which PRPC feature may not work with a server-relative URL and the reason why it won't work?
Chunzhi
Updated: 7 Apr 2016 9:39 EDT
Pegasystems Inc.
IN
I don't think prpc would function effectively if we have relative url's in place - mainly static content that relies on AG hash and other features might fail.
I think there is a request from customer an year ago asking prpc to support relative url's if i am not wrong idea of supporting relative url's in prpc is dropped sighting side effects that it would introduce , instead Pathbreakers team did work on EPIC-4338 to support prpc work behind reverse proxy with configuring xff headers , but i think this feature work has been done on ML10.
Having said that i may not fully answer your queries , please revert if you need anything ...
I will try answering few of your questions -
- If application uses cookie, it has to be set in HTTP header. Cookie that has no value can't be used. - since customer is on ssl or tls ? all cookies by default can be secured with prconfig
http/setsecurecookie
- URL written in Java Script has to be in relative path. - Static content might not work , any other side effects
- Do not use <> for variables. - what do you mean by variables ? query parameters in url ?