Web Agent SMSession shared between users within multiple instances
search cancel

Web Agent SMSession shared between users within multiple instances


Article ID: 191996


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



When running a Web Agent and when user XXXYYY accesses a resource,
then its session gets later used to user AAABBB.




Policy Server 12.8SP3 on RedHat 7




To prevent SMSESSION to be cached in proxies, the ExpireForProxy and
ProxyTrust will help as stated in the documentation (1).

Read carefully the documentation as other parameters are needed to be
set along with these.

Further, as you have F5 loadbalancer, you might investigate the
stickiness feature (2).

If possbile, to prevent more than 1 IP to use it, you need to
implement IP check for the cookie (3)(4).


Additional Information



    Configure Agents that Sit behind Proxy Servers
      Customize the Cache-Control and ExpireForProxy Header Settings



      Persistence otherwise known as stickiness is a technique implemented
      by ADCs to ensure requests from a single user are always distributed
      to the server on which they started.


      The concept of cookie-based persistence has since been applied to
      application sessions, using session ID information generated by web
      and application servers to ensure that user requests are always
      directed to the same server during the same session.




    Verify IP Addresses

      Compare IP Addresses to Prevent Security Breaches

       The IP checking feature requires agent to compare the IP address
       stored in a cookie from the last request against the IP address
       contained in the current request. If the IP addresses do not match,
       the agent rejects the request.


    Configure IP Address Validation

      Specifies an HTTP header for which the agent searches to find the IP
      address of the requestor. If no value is specified for this parameter,
      the default is an empty string. No maximum length is enforced and the
      value can be any string that contains a valid HTTP header value.