Duplicated SMSESSION cookie behavior knowledge in the browser with Agent
search cancel

Duplicated SMSESSION cookie behavior knowledge in the browser with Agent

book

Article ID: 234786

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

How is the SiteMinder SMSESSION cookie and other cookies are set in the browser?

Some related behaviors seen:

  • Users may get redirected to the login page despite submitting valid credentials;
  • Users may get redirected to the login page prematurely (before reaching idle timeout);
  • User1 logged in but later session became User2.

Cause

There can be multiple reasons but in general, ensure there is only 1 SMSESSION cookie throughout the life of the user session.

There can be the following situations that cause unexpected behavior.

  1. SMSESSION cookie appears out of nowhere.

    This may replace the user's session and cause session swap;

  2. Multiple SMSESSION cookies appear in the request.

    This may cause session swap depending on which session cookie is submitted first;
    This may cause unexpected redirects to the login page;
  3. Combination of above.

Resolution

When a cookie appears from nowhere, it could be a cached cookie.

Browser is submitting a cookie from the cached page.

  • Ensure the cookies do not get cached by the browser.

    This usually happens when the page (content) gets cached in the browser and the cookies also get cached.

    Adding a no-cache header may help.

  • There can also be a proxy that is caching the cookies.

    This is more tricky to identify and have the complete topology of the setup to understand which component is acting as a proxy and if there are somewhere a caching mechanism.

    ACO parameter ExpireForProxy may be worth exploring.

Generally, when multiple cookies appear, investigate what the set-cookie command parameters were for those cookies.

set-cookie: SMSESSION=<value1>; path=/; domain=.example.com;

This SMSESSION cookie can be overwritten with a new value only if the parameters match.

set-cookie: SMSESSION=<value2>; path=/; domain=.example.com;

Now, only have 1 SMSESSION with <value2> value.

But the cookie will not be overwritten if the set-cookie has different parameters, like:

set-cookie: SMSESSION=<value2>; path=/test; domain=.example.com;
set-cookie: SMSESSION=<value2>; path=/; domain=www.example.com;
set-cookie: SMSESSION=<value2>; path=/; domain=.example.com; secure;
set-cookie: SMSESSION=<value2>; path=/; domain=.example.com; samesite=none;
set-cookie: SMSESSION=<value2>; path=/; domain=.example.com; secure; samesite=none;

If one of the above is sent to the browser, it will result in 2 SMSESSION cookies, as long as the set-cookie parameters are different from the existing SMSESSION cookie.

SMSESSION=<value>, SMSESSION=<value2>

Same goes for SMSESSION=LOGGEDOFF cookie.

Powered by Wolken Software