Regarding the AJAX information


Article ID: 208681


Updated On:


CA Single Sign On Agents (SiteMinder)



We're running a Web Agent and we'd like to know what is the problem
with Ajax calls, when Web Agent will update the SMSESSION cookies when
Ajax applications are protected and if the REST API calls are also
Ajax calls ?

Could you precise us ?




At first glance, Web Agent handles only HTTP protocol requests. 

  What is HTTP?

     Communication between clients and servers is done by requests and responses:

     A client (a browser) sends an HTTP request to the web
     A web server receives the request
     The server runs an application to process the request
     The server returns an HTTP response (output) to the browser
     The client (the browser) receives the response

The Ajax code is Web 2.0 protocol, which is different from HTTP
protocol :

  What is AJAX?

    Conventional web applications transmit information to and from the
    sever using synchronous requests. It means you fill out a form, hit
    submit, and get directed to a new page with new information from the

    With AJAX, when you hit submit, JavaScript will make a request to
    the server, interpret the results, and update the current screen. In
    the purest sense, the user would never know that anything was even
    transmitted to the server.


    AJAX is a web browser technology independent of web server software.

    A user can continue to use the application while the client program
    requests information from the server in the background.

    Behind-the-scenes data fetches using XMLHttpRequest objects in the


  AJAX is a developer's dream, because you can:

    Update a web page without reloading the page
    Request data from a server - after the page has loaded
    Receive data from a server - after the page has loaded
    Send data to a server - in the background

So said, the Web Agent will not be aware of the use of the
XMLHttpRequests and data exchanges with the server, as they aren't
traditional Web Pages as explained above.

As such, if the browser stays on the same page permanently, the
SMSESSION cookie won't get renewed, even if the user uses the page
permanenlty. Then the Session Status won't represent the user
activity and vice-versa.

For that reason, the Web Agent offers the ACO Parameter

  Apply SiteMinder Behavior to a Web Application Client

    Configure SiteMinder to identify requests originating from the
    script engine that is executing in the context of the Web browser.

    Use a customized response to integrate SiteMinder-generated
    behavior, including a challenge, with the functionality of the web
    application client.

    Configure the response format for requests from Web 2.0 resources
    (AJAX and other API-based calls) at the global level.


    the WebAppClientResponse parameter lets you integrate the required
    functionality to redirect users after a session timeout.

Further, REST protocol uses operation as GET, PUT, POST etc. as
traditional Web pages, and thus, these calls can be catched by the Web
Agent. Ajax is different, as it's concentrated on data exchanges :

  Is AJAX a Rest api

    Using REST we can do operations (PUT,POST,GET,HEAD) but by using
    AJAX we can only retrieve data from server side , AJAX can be a part
    of REST but REST can never be AJAX,accessed%20by%20an%20AJAX%20client


Additional Information


Further reading :

  I don't see IdleTimeout Reason when the Web Agent is configured for webappclientresponse

  Apache Reverse Proxy Web Agent doesn't process the WebAppClientResponse

  Screen freezing after leaving the screen idle for few minutes.

  Issue during the AJAX call.

  Web Agent :: Ajax returns 302 code as it should not