AnsweredAssumed Answered

CA SPS: Enable Rewrite Cookie Domain parameter

Question asked by daniele_tonna on Sep 2, 2016
Latest reply on Sep 9, 2016 by daniele_tonna

Hi all,

I would have more information about "Enable Rewrite Cookie Domain" SPS parameter.

The documentation states:

 

enablerewritecookiedomain
Instructs the SPS to rewrite the cookie domain from the domain set by the server sitting behind the proxy to the domain of the initial request.

 

 

Here my use case condition:

  • I use the SPS to proxy (forward) requests to backend web server
  • The SPS use the domain ".domain-sps.com"
  • The Web Agent for the SPS is disabled
  • The backend web server use the domain ".internal-domain.com"
  • The Web Agent for the backend server is enabled
  • The Web Agent for the backend server is configured with the following parameters:
    • CookieDomain: .internal-domain.com
    • CookieDomainScope: 2
  • The Web Agent for the backend server protects the resource /dummy/*

 

I know that for best practice the web agent should be enabled on the SPS and not on the backend server, but I have no any other chance.

 

Trying to access the protected resource via CA SPS (with the URL http://app.domain-sps.com/dummy/resource.html), the Web Agent installed on backend web server redirect the user to the authentication page. After successful authentication the backend web agent set the SMSESSION with the domain ".internal-domain.com" and redirect the client to original protected resource. The client requests once again the protected resource (http://app.domain-sps.com/dummy/resource.html) but does not send the SMSESSION because the domain in the cookie (.internal-domain.com) is different from the one requested (.domain-sps.com). Due to this the backend web agent promts the user with the login form once again.

 

Honestly this makes sense to me, but I hoped that the with the paramenter enablerewritecookiedomain=yes the SPS would rewrite the cookie domain.

 

Does the "Enable Rewrite Cookie Domain" work only for third party cookies and not for SMSESSION?

Any other suggestion/information about?

 

Thanks in advance,

Daniele

Outcomes