Regarding the AJAX information

book

Article ID: 208681

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

We're running a Web Agent and we'd like to know what is the problem
with Ajax calls, when Web Agent will update the SMSESSION cookies when
Ajax applications are protected and if the REST API calls are also
Ajax calls ?

Could you precise us ?

 

Resolution

 

At first glance, Web Agent handles only HTTP protocol requests. 

  What is HTTP?

     Communication between clients and servers is done by requests and responses:

     A client (a browser) sends an HTTP request to the web
     A web server receives the request
     The server runs an application to process the request
     The server returns an HTTP response (output) to the browser
     The client (the browser) receives the response

  https://www.w3schools.com/whatis/whatis_http.asp

The Ajax code is Web 2.0 protocol, which is different from HTTP
protocol :

  What is AJAX?

    Conventional web applications transmit information to and from the
    sever using synchronous requests. It means you fill out a form, hit
    submit, and get directed to a new page with new information from the
    server.

    With AJAX, when you hit submit, JavaScript will make a request to
    the server, interpret the results, and update the current screen. In
    the purest sense, the user would never know that anything was even
    transmitted to the server.

    [...]

    AJAX is a web browser technology independent of web server software.

    A user can continue to use the application while the client program
    requests information from the server in the background.

    Behind-the-scenes data fetches using XMLHttpRequest objects in the
    browser.

  https://www.tutorialspoint.com/ajax/what_is_ajax.htm

and 

  AJAX is a developer's dream, because you can:

    Update a web page without reloading the page
    Request data from a server - after the page has loaded
    Receive data from a server - after the page has loaded
    Send data to a server - in the background

  https://www.w3schools.com/xml/ajax_intro.asp

So said, the Web Agent will not be aware of the use of the
XMLHttpRequests and data exchanges with the server, as they aren't
traditional Web Pages as explained above.

As such, if the browser stays on the same page permanently, the
SMSESSION cookie won't get renewed, even if the user uses the page
permanenlty. Then the Session Status won't represent the user
activity and vice-versa.

For that reason, the Web Agent offers the ACO Parameter
WebAppClientResponse.

  Apply SiteMinder Behavior to a Web Application Client

    Configure SiteMinder to identify requests originating from the
    script engine that is executing in the context of the Web browser.

    Use a customized response to integrate SiteMinder-generated
    behavior, including a challenge, with the functionality of the web
    application client.

    Configure the response format for requests from Web 2.0 resources
    (AJAX and other API-based calls) at the global level.

    [...]

    the WebAppClientResponse parameter lets you integrate the required
    functionality to redirect users after a session timeout.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/session-protection/apply-siteminder-behavior-to-a-web-application-client.html

Further, REST protocol uses operation as GET, PUT, POST etc. as
traditional Web pages, and thus, these calls can be catched by the Web
Agent. Ajax is different, as it's concentrated on data exchanges :

  Is AJAX a Rest api

    Using REST we can do operations (PUT,POST,GET,HEAD) but by using
    AJAX we can only retrieve data from server side , AJAX can be a part
    of REST but REST can never be AJAX

  https://stackoverflow.com/questions/22691644/is-ajax-a-rest-api#:~:text=2%20Answers&text=AJAX%20is%20a%20set%20of,accessed%20by%20an%20AJAX%20client

 

Additional Information

 

Further reading :

  I don't see IdleTimeout Reason when the Web Agent is configured for webappclientresponse
  https://knowledge.broadcom.com/external/article?articleId=6958

  Apache Reverse Proxy Web Agent doesn't process the WebAppClientResponse
  https://knowledge.broadcom.com/external/article?articleId=7582

  Screen freezing after leaving the screen idle for few minutes.
  https://knowledge.broadcom.com/external/article?articleId=138201

  Issue during the AJAX call.
  https://knowledge.broadcom.com/external/article?articleId=143422

  Web Agent :: Ajax returns 302 code as it should not
  https://knowledge.broadcom.com/external/article?articleId=133617