When running Session Linker on CA Access Gateway (SPS), when request
has no valid session, then the Session Linker doesn't redirect the
browser to the configured URL. It's noted also that the CA Access
Gateway (SPS) Agent logs and traces don't report any error or
processing.
We see that CA Access Gateway (SPS) is not set to process
authorization and as Session Linker acts at authorization phase, then
there's no cookie validation with the backend expected cookie.
sps.training.com.log :
[13992/140153716033280][Tue May 04 2021 13:53:20] enableauthorization=no
[13992/140153716033280][Tue May 04 2021 13:53:20] sessionlinker=Cookie=TestCookie;COOKIEPATH=/;COOKIEDOMAIN=training.com;NOBLOT;URL=/backend
sps.training.com.trace :
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[CSmSessionManager::EstablishSession][SM_WAF_SESSIONLINKER_PLUGIN->EstablishSession returned SmNoAction.]
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[CSmSessionManager::EstablishSession][Calling SM_WAF_CERTSESSIONLINKER_PLUGIN->EstablishSession.]
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[CSmSessionManager::EstablishSession][SM_WAF_CERTSESSIONLINKER_PLUGIN->EstablishSession returned SmNoAction.]
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[IsResourceProtected][Resource is protected from cache.]
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[CSmSessionManager::CreateSession][Calling SM_WAF_SESSIONLINKER_PLUGIN->CreateSession.]
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[CSmSessionManager::CreateSession][SM_WAF_SESSIONLINKER_PLUGIN->CreateSession returned SmNoAction.]
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[CSmSessionManager::CreateSession][Calling SM_WAF_CERTSESSIONLINKER_PLUGIN->CreateSession.]
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[CSmSessionManager::CreateSession][SM_WAF_CERTSESSIONLINKER_PLUGIN->CreateSession returned SmNoAction.]
[05/04/2021][13:55:58][13992][140152556812032][88e70173-f2d1de44-2210d67d-5adb9a81-5c4764ea-1da]
[ProcessRequest][ Authorization is skipped as it is not enabled. AuthenticationManager returned SmYes, end new request.]
When SPS is configure to process authorization (EnableAuthorization
set to yes), then we see Session Linker reporting actions :
Protection, Authentication and Authorization on SPS :
When the backend application sends cookie :
[05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
[ProcessResponses][Calling SM_WAF_SESSIONLINKER_PLUGIN->ProcessResponses.]
[05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
[CSmSessionLinkerPlugin::ProcessResponses][SMSERVERSESSIONID = YGjhyAYRDToLAMQVvKtKXh7y/7U=]
[05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
[CSmSessionLinkerPlugin::ProcessResponses][SMTIMETOEXPIRE = 7200]
[05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
[CSmSessionLinkerPlugin::ProcessResponses][ForeignSessionIdentifier=TestCookie,
SmSessionID=YGjhyAYRDToLAMQVvKtKXh7y/7U=, ForeignSessionValue=hello+world]
[05/03/2021][11:48:14][7700][139625296123648][3f59a3f1-d5bd4899-50cb55a8-964aded5-5442af65-59]
[CSmSessionLinkerPlugin::ProcessResponses][New Link Added.]
When the backend application doesn't send cookie :
[05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
[CSmSessionLinkerPlugin::ProcessResponses][SMSERVERSESSIONID = TGP4a+kOzVb8Ebbo/kjNIAfxSTI=]
[05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
[CSmSessionLinkerPlugin::ProcessResponses][SMTIMETOEXPIRE = 7200]
[05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
[CSmSessionLinkerPlugin::ProcessResponses][ForeignSessionIdentifier=TestCookie,
SmSessionID=TGP4a+kOzVb8Ebbo/kjNIAfxSTI=, ForeignSessionValue=hello+world]
[05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
[CSmSessionLinkerPlugin::ProcessResponses][Bad link. Blotting the cookie. (This usually indicates cookie tampering4.)]
[05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
[CSmSessionLinkerPlugin::ProcessResponses][Bad link. Displaying error. This usually indicates cookie tampering.]
[05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
[CSmSessionLinkerPlugin::ProcessResponses][Bad link. Redirecting to URL '/backend'. (This usually indicates cookie tampering.)]
[05/03/2021][11:56:47][7700][139625294018304][e8f5cd21-d36138a9-424b794d-56bef5c3-22aada52-9]
[ProcessResponses][SM_WAF_SESSIONLINKER_PLUGIN->ProcessResponses returned SmFailure.]
As per a KD (1), you have to enable authorization processing on the CA
Access Gateway (SPS) when the SPS shows log line :
Authorization is skipped as it is not enabled. AuthenticationManager returned SmYes, end new request.
In the CA Access Gateway (SPS) ACO set the following parameter :
EnableAuthorization to yes
(1)
Custom HTTP response headers missing
Authorization is skipped as it is not enabled. AuthenticationManager
returned SmYes, end new request
[...]
EnableAuthorization to yes (or
comment out as the default value is yes)
https://knowledge.broadcom.com/external/article/136122/custom-http-response-headers-missing.html