Why is SMSESSION cookie gone missing
Article ID: 108967
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
SMSESSION cookie gets lost during during login process and user gets challenged again.
Why is SMSESSION cookie not submitted for certain sites during login process? (Which is causing a redirect loop for login)
Use case:
Protected site1: https://www.test.lab/protected/
Protected site2: https://application.test.lab/protected/
Login site: https://login.test.lab/siteminderagent/forms/login.fcc
User access site1 and get redirected to login page.
User submit credentials and gets access to site1 successfully.
User then access site2 and gets redirected to login page.
From header trace, SMSESSION cookie was successfully set and submitted to site1 and login site.
SMSESSION gets lost when accessing site2.
Why is SMSESSION cookie not submitted for certain sites during login process? (Which is causing a redirect loop for login)
Use case:
Protected site1: https://www.test.lab/protected/
Protected site2: https://application.test.lab/protected/
Login site: https://login.test.lab/siteminderagent/forms/login.fcc
User access site1 and get redirected to login page.
User submit credentials and gets access to site1 successfully.
User then access site2 and gets redirected to login page.
From header trace, SMSESSION cookie was successfully set and submitted to site1 and login site.
SMSESSION gets lost when accessing site2.
Environment
Internet Explorer is used.
Resolution
The reason why the browser is not submitting cookie can be many reasons but when Internet Explorer is involved you need to check if all those sites are registered in the same Zone.
In the above use case, it is highly likely that site1 and login site are registered in the "Local Intranet" or "Trusted Sites" zone while site2 is "Internet" zone or not registered in any sites at all.
IE maintains cookies based on the Zones and do not share the cookies if the zones do not match.
site1 and login site are in Trusted Sites zone so the SMSESSION cookie will be submitted if the cookie was set in this zone.
If site2 is in a different zone, even if the cookie domain and path and secure flag match, the cookie would not be submitted.
Following article describes in more detail.
https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
In the above use case, it is highly likely that site1 and login site are registered in the "Local Intranet" or "Trusted Sites" zone while site2 is "Internet" zone or not registered in any sites at all.
IE maintains cookies based on the Zones and do not share the cookies if the zones do not match.
site1 and login site are in Trusted Sites zone so the SMSESSION cookie will be submitted if the cookie was set in this zone.
If site2 is in a different zone, even if the cookie domain and path and secure flag match, the cookie would not be submitted.
Following article describes in more detail.
https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
Additional Information
Microsoft Developer Blog: https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
Feedback
Yes
No
Powered by
