SMSession Shared Between Users


Article ID: 191996


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER


We're running a Web Agent and when user XXXYYY accesses a resource,

then its session gets later used to user AAABBB.

How can we prevent this ?


Policy Server 12.8SP3 on RedHat 7


To prevent SMSESSION to be cached in proxies,

the ExpireForProxy and ProxyTrust will help as stated in the

  Configure Agents that Sit behind Proxy Servers
  Customize the Cache-Control and ExpireForProxy Header Settings

Read carefully the documentation as other parameters are needed to be
set along with these.

Further, as you have F5 loadbalancer, you might investigate the
stickiness feature on them in order to :


  Persistence otherwise known as stickiness is a technique implemented
  by ADCs to ensure requests from a single user are always distributed
  to the server on which they started.


  The concept of cookie-based persistence has since been applied to
  application sessions, using session ID information generated by web
  and application servers to ensure that user requests are always
  directed to the same server during the same session.


If possbile, to prevent more than 1 IP to use it, you need to
implement IP check for the cookie :

  Verify IP Addresses
    Compare IP Addresses to Prevent Security Breaches

     The IP checking feature requires agent to compare the IP address
     stored in a cookie from the last request against the IP address
     contained in the current request. If the IP addresses do not match,
     the agent rejects the request.

  Configure IP Address Validation

    Specifies an HTTP header for which the agent searches to find the IP
    address of the requestor. If no value is specified for this parameter,
    the default is an empty string. No maximum length is enforced and the
    value can be any string that contains a valid HTTP header value.