SMsession created without a domain name?

book

Article ID: 185694

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

Users are impacted by a looping login page for a federated IDP initiated connection.  Fiddler shows a SMSession with no domain added to the browser that doesn't show up the Chrome or Firefox dev tool.  I would like to know how an SMSession can be created without a domain name and how to manage such a cookie.

Cause

A cookie set without a domain name is considered a host-only cookie as the 'domain' will actually be the FQDN of the host that set the cookie.  Since this cookie is specific to the FQDN of a host, the browser will only present this cookie to that same host.  If a Siteminder Web Agent is setting a host-only cookie, it is likely due to the CookieDomainScope parameter set to too high a value.  The other, less likely way this is possible is if the value of CookieDomain is set to 'none'.  "None' is a special value for the CookieDomain parameter that instructs the web agent to exclusively set host-only cookies.  

Some customers have reported these host-only cookies are not being destroyed with a browser cache flush.  If that is the case, simply close the browser assuming transient cookies are in use.  For persistent cookies, if for any reason the browser cache flush will not delete them, they can be located on disk and deleted directly from the file system.  Contact the browser vendor if there are any questions on how a particular browser may manage host-only cookies.

Environment

Release : ALL

Component : ALL SITEMINDER

Resolution

If you do not want the Web Agent setting host-only cookies, verify that CookieDomainScope is set to an appropriately low value.  Also verify that CookieDomain is not set to the special value 'none' nor set to a hostname.  The most common configuration is a blank (null) CookieDomain value and CookieDomainScope=0 (this will automatically detect the cookie domain and use the highest scope that will not result in a host-only cookie.