search cancel

SMTRYNO cookie behavior when NO username submitted to login form

book

Article ID: 229094

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

smretries keeps redirecting to unauth page when a blank username / password submitted to login form 


** Scneario 1 --> user Null 

NOTE --> login form is set with @smretries=1

1) user access protected page and get redirected to login form 
2) user hit enter WITHOUT entering any username / password
3) fcc sets SMTRYNO to 1   and user get redirected to unauth page 

Set-Cookie: SMTRYNO=1; path=/; domain=.bpc.broadcom.net

4) user attempts to access the protected page one more time from the same browser session and gets redirected again to the unauth page since the browser still have the SMTRYNO=1 cookie  . 


 [11/15/2021][11:33:08][27167][2902431488][SmFCC.cpp:759][SmFcc::getCredentials][000000000000000000000000dc704a0a-6a1f-61928bc4-acff9700-bf7f3e611d34][*10.230.10.65][][1252sp1cr11agent][/testtimeout][][Failed to get Form credentials.]
 [11/15/2021][11:33:08][27167][2902431488][SmFCC.cpp:1626][SmFcc::generateForm][000000000000000000000000dc704a0a-6a1f-61928bc4-acff9700-bf7f3e611d34][*10.230.10.65][][1252sp1cr11agent][/testtimeout][][Too many retries.]


 
** Scneario 2 --> username is set 

1) user access protected page and get redirected to login form 
2) user hit enter this time providing username BUT wrong password , This time we see 2 cookies being set as follows 

Set-Cookie: SMTRYNO=1; path=/; domain=.bpc.broadcom.net
Set-Cookie: SMTRYNO=; expires=Thu, 20 May 2021 13:52:57 GMT; path=/; domain=.bpc.broadcom.net

3) user attempts to access the protected page one more time , this time if we look at the Request header , there is NO SMTRYNO cookie since it was set to Expire by the Agent in the previous step so user is getting redirected successfully to login page (NOT the unauth page)

 [11/15/2021][11:35:17][27168][3075680000][SmFCC.cpp:767][SmFcc::getCredentials][000000000000000000000000dc704a0a-6a20-61928c45-b7532700-eaa86068d37a][*10.230.10.65][][1252sp1cr11agent][/testtimeout][][Success in collecting credentials.]
 [11/15/2021][11:35:17][27168][3075680000][CSmLowLevelAgent.cpp:1380][AuthenticateUser][000000000000000000000000dc704a0a-6a20-61928c45-b7532700-eaa86068d37a][*10.230.10.65][][1252sp1cr11agent][/testtimeout][][User 'user1' is not authenticated by Policy Server.]
 [11/15/2021][11:35:17][27168][3075680000][CSmHttpPlugin.cpp:3353][CSmHttpPlugin::ProcessResponses][000000000000000000000000dc704a0a-6a20-61928c45-b7532700-eaa86068d37a][*10.230.10.65][][1252sp1cr11agent][/testtimeout][][Unable to verify tryno count, exiting with SmFailure.]
 [11/15/2021][11:35:17][27168][3075680000][SmPluginUtilities.cpp:168][DeleteCookie][000000000000000000000000dc704a0a-6a20-61928c45-b7532700-eaa86068d37a][*10.230.10.65][][1252sp1cr11agent][/testtimeout][][Deleted cookie 'SMTRYNO'.]

 

Environment

Release :any Agent 

Resolution

How smretries Work :

- When the form page is posted with or without credentials SMTRYNO cookie value is increased.
- If the user / credentials are null, the request does not go to PS. 
- If the user credentials are not null then the webagent tries to authenticate the user and sends the request to PS.  SMTRYNO cookie is deleted as part of the authentication response.  
- With empty credentials, user will always be redirected to unauth page.

Additional Q&A:
---------------
Follow up question from Support --> just one more Question , In the Flow where we are submitting the user ID and in case we already have the SMTRYNO=1 , why we are reporting   -->  "[Unable to verify tryno count, exiting with SmFailure.]"     knowing that the cookie is there and then issue a Delete , is that an Expected behavior ? 

Answer from DEV -->  
* Before user authentication, smtryno value is set. 
* After user authentication fails, check if the smtryno value reached the maximum try limit. 
* If the smtryno value reached the maximum try limit, print error message and delete cookie.
SmTraceData(pRequestCtxt,__FILE__,__LINE__,SmHTTPAgentComponent::RequestProcessing,"CSmHttpPlugin::ProcessResponses","Unable to verify tryno count, exiting with SmFailure.");
DeleteCookie (m_pLogger, pRequestCtxt, pWebFilterCtxt, sTryNoCookieName);