search cancel

How is the resolved Cookie Domain determined for a Web Agent

book

Article ID: 45343

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

For some reason, 2 SMSESSION cookies are created; one for domain A and
the other for a subdomain of A.

 

Cause

 

This issue is the result of two or more Single Sign On (fka
SiteMinder) Agents being involved in the flow of a request; for
instance a Standard Web Agent on a proxy to an Application Server with
a Single Sign On Application Server Agent installed and the Cookie
Domain configured for both Agents does not match.

Though it will not be seen two cookie created on authentication, it is
possible to have both Agents issue a "Set-Cookie" statement back to
the browser in the same response to "update" the SMSESSION
cookie.

This is encountered when the front-end Web Agent is configured
with a Cookie Domain that is one or more "dots" less than the Cookie
Domain at the back-end Agent. A Cookie that is set in the ".b.com"
Cookie Domain will be presented by the browser in a request to a
Web\Application Server in the ".a.b.com" domain.

So, if the front-end Agent is creating a cookie in the ".b.com" Cookie
Domain and the back-end Agent is creating cookies in the ".a.b.com"
Cookie Domain, it is possible to get two cookies at the browser that
are "appropriate" for the same request to a Web\Application Server in
the ".a.b.com" domain. There is no guarantee which cookie will be
presented first in this situation and processed by the Agents.

 

Environment

 

Single Sign On (fka SiteMinder)

 

Resolution

 

Ensure that both Agents in the flow have the same settings for the
CookieDomain and CookieDomainScope parameters in their Agent
Configuration Objects (ACO). The SMSESSION cookies set by a Web Agent
are governed by the "CookieDomain" and "CookieDomainScope" ACO
settings.

If "CookieDomain" is set to a value, then it does not matter what the
"CookieDomainScope" is set to; the Agent will create cookies in the
domain defined in the "CookieDomain" setting.

If the "CookieDomain" is set to a value of "NONE", then the cookie is
created without a Domain making it a "Host-Only" cookie.

If "CookieDomain" is not set to a value (BLANK), then the SMSESSION
cookie will be set based on the Resolved Host of the request and the
"CookieDomainScope" setting.

If the Resolved Host is "mymachine.a.b.c.d.e.com", CookieDomain is
<Blank>, and the CookieDomainScope is :

  "0" - the Cookie Domain would be ".a.b.c.d.e.com"

  "1" - invalid configuration, you cannot use a CookieDomainScope of
        "1"; you cannot create a Cookie in the ".com" Top level
        Domain.

  "2" - the Cookie Domain would be ".e.com"

  "3" - the Cookie Domain would be ".d.e.com"

  "4" - the Cookie Domain would be ".c.d.e.com"

  "5" - the Cookie Domain would be ".b.c.d.e.com"

  "6" - the Cookie Domain would be ".a.b.c.d.e.com"

  "7" - the Cookie Domain would not be set (Host-Only cookie)