CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On Agents (SiteMinder)CA Single Sign On Federation (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)SITEMINDER
We're running a Web Agent and when user XXXYYY accesses a resource, then its session gets later used to user AAABBB.
How can we prevent this ?
Policy Server 12.8SP3 on RedHat 7
To prevent SMSESSION to be cached in proxies, the ExpireForProxy and ProxyTrust will help as stated in the documentation.
Configure Agents that Sit behind Proxy Servers Customize the Cache-Control and ExpireForProxy Header Settings https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/advanced-configuration-settings/agents-and-proxy-servers.html#concept.dita_0ddef1973865831c1b3ef9847bed8ae11901af59_CustomizetheCacheControlandExpireForProxyHeaderSettings
Read carefully the documentation as other parameters are needed to be set along with these.
Further, as you have F5 loadbalancer, you might investigate the stickiness feature on them in order to :
Persistence otherwise known as stickiness is a technique implemented by ADCs to ensure requests from a single user are always distributed to the server on which they started.
The concept of cookie-based persistence has since been applied to application sessions, using session ID information generated by web and application servers to ensure that user requests are always directed to the same server during the same session.
If possbile, to prevent more than 1 IP to use it, you need to implement IP check for the cookie :
Verify IP Addresses Compare IP Addresses to Prevent Security Breaches
The IP checking feature requires agent to compare the IP address stored in a cookie from the last request against the IP address contained in the current request. If the IP addresses do not match, the agent rejects the request.
Specifies an HTTP header for which the agent searches to find the IP address of the requestor. If no value is specified for this parameter, the default is an empty string. No maximum length is enforced and the value can be any string that contains a valid HTTP header value.