One of the application teams is migrating the Internal application to Siteminder R12.8 policy servers. While testing the application functionality, clicking a link that results in a POST request resulted in users seeing a page with message:
Redirecting to complete authentication
This interim page is used by SiteMinder to redirect you through the logon process while maintaining your POST data. You will be forwarded to continue the authentication and authorization process and retain the POST parameters.
The POST request was being made via http (not https), but the session cookie had the /secure flag, so the session cookie was not presented on the POST request and thus the user was challenged for authentication.
The 'Redirecting to complete authentication' page is always called when a user is redirected for authentication upon POST request when post preservation is enabled, however, in most instances the authentication completes quickly enough that the users never actually see the post preservation page, and the design of the application in question also has frequent GET requests between POST requests such that a timed-out session is usually encountered during a GET rather than POST request, further decreasing the chances that a user ever sees the post preservation page during a POST request.
This functionality is the same in all supported releases of Siteminder, so the behavior was not related to the customer's 12.8 migration.
Release : All
Component : Web Agent
Since this protected application does not force HTTPS and allows HTTP, the UseSecureCookies Agent Configuration Object parameter should be set to No.
This was an internal-only application and thus why HTTP access is allowed. In most production environments, protected applications may only be accessed via HTTPS, and in such cases, the UseSecureCookies=Yes setting is recommended.