We have two separate infrastructures, one our Siteminder pre-production infrastructure and the second one is our production environment.
We have found that the SMsession cookie generated by pre-production can be used in our production environment and vice versa.
Is there any reason why SMsession cookie from separate siteminder policy servers can be validated? This poses vulnerability since the application is external facing.
SSO between both environments is possible because SiteMinder Policy Server is able to decrypt the smsession cookie.
SiteMinder Web Agents use agent keys to encrypt and decrypt the cookies issued by SiteMinder Policy Server. Therefore, this suggests that both environments have the same set of agent keys.
Please note that Policy Server supports two types of Agent keys:
To fix this problem both environments have to have different agent keys, You can rollover agent keys in the Admin UI under Tools -> Manage Keys, then restart your web agents and be sure that the SM web agents pick up their unique new keys.