Web Agent :: SMIDENTITY Cookie

Article Id: 49773

Status: Published

Updated On: 21-03-2018 07:13

Legacy Id: TEC564872

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On

Issue/Introduction:

Description:

I am running Web Agent as Reverse Proxy.

In order to limit the size of the request going to a backend server, I have configured the Web Agent with the following:

DisableAuthSrcVars to yes 
DisableSessionVars to yes 
DisableUserVars to yes

But, I still see the SMIDENTITY cookie sent to the backend Application Server. Is it possible to make this cookie not sent to the backend server?

Solution:

You still see the SMIDENTITY sent to the backend server because the SMIDENTITY is a cookie.

The difference between HTTP header variables and HTTP cookie variables are that the HTTP header variables are maintained by the Server, and the HTTP cookie variable, even produced first by the Server, are sent by the browser.

Considering this, as you have seen in your architecture, the SMIDENTITY cookie cannot be blocked as per setting:

DisableAuthSrcVars to yes 
DisableSessionVars to yes 
DisableUserVars to yes

which are maintained by the Server.

The only way not to get it passed to the backend Application Server, is to disable it as per tech note:
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC457849.

There is no way to keep it enabled, and to block it then to be passed to the backend server.

Environment:

Release:
Component: SMAPC