General knowledge of cookies
search cancel

General knowledge of cookies

book

Article ID: 234786

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

This is to provide generic information relating to cookies involving SiteMinder to explain following use cases.

Users may get redirected to login page despite submitting valid credential.
Users may get redirected to login page prematurely (before reaching idletimeout).
User1 logged in but later session becomes User2.

 

Environment

Release : 12.0

Component : SITEMINDER -WEB AGENT FOR APACHE

Cause

There can be multiple reasons but in general you must ensure there is only 1 SMSESSION cookie throughout the life of user session.

There can be following situations that cause unexpected behavior.

1. SMSESSION cookie appears out of nowhere.
--> This may replace the user's session and cause session swap

2. Multiple SMSESSION cookies appear in the request.
--> This may cause session swap depending on which session cookie is submitted first.
--> This may cause unexpected redirect to login page.

3. Combination of above

Resolution

When cookie appears from nowhere, it could be a cached cookie.
Browser submitting cookie from cached page.
--> You will need to ensure the cookies do not get cached by browser. This usually happens when the page(content) gets cached at the browser and the cookies also gets cached. Adding no-cache header may help.
--> There can also be a proxy that is cacheing the cookies. This more tricky to identify and customer will need to have complete topology of their setup to understand which component is acting as proxy and if they are cacheing anything. ACO parameter ExpireForProxy may be worth exploring.

When multiple cookies appear, you will need to investigate what was the set-cookie command parameters for those cookies.
set-cookie: SMSESSION=XXX; path=/; domain=.test.lab;

This SMSESSION cookie can be overwritten with new value only if the parameters match.
set-cookie: SMSESSION=YYY; path=/; domain=.test.lab;

Now you will only have 1 SMSESSION with "YYY" value.

 

But the cookie will not be overwritten if the set-cookie has different parameters.

set-cookie: SMSESSION=YYY; path=/test; domain=.test.lab;
set-cookie: SMSESSION=YYY; path=/; domain=www.test.lab;
set-cookie: SMSESSION=YYY; path=/; domain=.test.lab; secure;
set-cookie: SMSESSION=YYY; path=/; domain=.test.lab; samesite=none;
set-cookie: SMSESSION=YYY; path=/; domain=.test.lab; secure; samesite=none;

If one of above(or as long as the set-cookie parameters were different from the existing SMSESSION cookie) is sent to browser, it will result in 2 SMSESSION cookies.

SMSESSION=XXX, SMSESSION=YYY


Same goes to SMSESSION=LOGGEDOFF cookie.

 

Powered by Wolken Software