How much is the max length (in characters) of a SMSession cookie?

search cancel

How much is the max length (in characters) of a SMSession cookie?

book

Article ID: 20795

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

SMSession cookie length is not fixed because the information that it contains vary.

SMSession cookie will generally be between 800 bytes an 1K (sometimes bigger). Closer to 800 bytes generally speaking.

Environment

Release:
Component: Web Agent

Resolution

The SMSESSION cookie length is not fixed, it encrypt the following information:

   SM_AGENTAPI_ATTR_USERDN
   SM_AGENTAPI_ATTR_SESSIONSPEC 
   SM_AGENTAPI_ATTR_SESSIONID
   SM_AGENTAPI_ATTR_USERNAME
   SM_AGENTAPI_ATTR_CLIENTIP
   SM_AGENTAPI_ATTR_DEVICENAME
   SM_AGENTAPI_ATTR_IDLESESSIONTIMEOUT
   SM_AGENTAPI_ATTR_MAXSESSIONTIMEOUT
   SM_AGENTAPI_ATTR_STARTSESSIONTIME
   SM_AGENTAPI_ATTR_LASTSESSIONTIME

Because this information's length vary, so the SMSession cookie's length vary as well.

SMsession cookie will generally be between 800 bytes to 1K.

Closer to 800 bytes generally speaking. The length of a cookie will be dependent on the info which are in it (user DN for example, last SMSESSION update time etc).

The RFC for HTTP cookies specifies that servers should allocate no less than 4k for an HTTP cookie, so we use this as an upper maximum, but should never get close to that limit.

The SMSESSION cookie is encrypted by the Agent key.

Additional Information

Different web servers have different limits of the max header size they can handle. If the header size exceeds, increase the max header size.

Feedback

thumb_up Yes

thumb_down No