A Custom Agent receives a SMSESSION cookie, Will the SessionSpec and SessionID change or not by design ?

The SessionSpec will change if the Web Agent does not have it in its cache. The SessionID will be kept the same.

Here is the flow of an authentication and authorization process in light of the SessionSpec:

1. The Agent collects the user’s credentials.
2. The Agent sends the Login() request to the Policy Server passing the received credentials. The Policy Server verifies the credentials and creates a Session Spec that represents the newly created user session. The encrypted Session Spec is sent back to the Agent together with the Session ID and other session-related parameters (idle timeout, expiration timeout, etc.).
3. The Agent embeds the Session ID and the Session Spec in an encrypted SMSESSION cookie that is sent back to the user’s browser. The Agents also save the Session ID and the SessionSpec in its User Session Cache.
4. Any time when an authenticated user accesses the Web site, the browser submits the SMSESSION cookie together with an HTTP request.
5. When the Agent receives the SMSESSION cookie, it extracts the Session ID and the Session Spec it checks them against the values stored in the User Session Cache. If the Agent cache doesn’t contain a corresponding entry, the Agent uses the Validate() call to pass the Session ID and the Session Spec to the Policy Server for validation. If the validation succeeds, the Policy Server returns the updated Session Spec to the Agent. The Session ID is not modified in the course of validation.

The SessionSpec gets updated each time the Web Agent needs to validate the Session with the Policy Server and cannot refer to the object in its cache.