Symantec Access Management

  • 1.  2 SMSESSION cookies with request

    Posted Feb 23, 2017 08:01 PM

    Hello,  

    Some times(most times) when I authenticate to Policy server(tried IWA/Basic) , I get 2 SMSESSION cookies. I am not sure since when it started to happen but only realized this week as we tried to implement persisent sessions. For every authentication, there is a persistent session created in session store, which I can confirm by looking at the count. Session timeout is set to 90 days in SiteMinder resource realm. However , upon authentication when the cookies are set in my browser, I have 2 SMSESSION cookies, one of them has 'Expiry Date'(indicating that its a persistent cookie) , and the other SMSESSION has no 'Expiry' which means browser will discard it upon closing the browser. Upon subsequent HTTP transactions of the same request, browser keeps one of the 2 SMSESSIONs. If it chooses to keep the one with 'Expiry Date', then my session continues even after I restart my browser multiple times. This will work until I clear my browser cache manually.  

    However, if my browser chooses to keep the one without 'Expiry Date', then my session is lost upon closing the browser. What can be happening here?  

     

    Webagent version: 

    Product Name=CA SiteMinder Web Agent 

    FullVersion=12.0.305.427 

    Version=12QMR3 

    Update=05 

    Build Number=427 

    policy Server: 

    ProductName=CA SiteMinder Policy Server 

    FullVersion=12.51.1.972 



  • 2.  Re: 2 SMSESSION cookies with request

    Posted Feb 23, 2017 08:08 PM

    Can you upload fiddler ?

     

    1. Start Fiddler
    2. Start with private/incognito window.
    3. Login
    4. Upload fiddler
    • How many agents are involved?
    • What is the value for cookiedomain and cookiedomainscope aco parameter ?
    • Is cookieprovdier involved ?


  • 3.  Re: 2 SMSESSION cookies with request
    Best Answer

    Posted Feb 23, 2017 09:53 PM

    For other's benefit , we idenfied the RCA for this ..

    Here is summary..

     

    • Front end - Normal Web Agent (Persistent cookie configured)
    • Backend - TAI Agent ( Non persistent cookie configured)

     

    So basically when the NTC challenge is compelete, both the front/back agent sets SMSESSION cookie for the same cookie domain. So, eventually the browser takes only one cookie which happens to be the one set by TAI agent and is Non persistent.

     

    Resolution :

    Configure TAI agent to also set Persistent Cookie.



  • 4.  Re: 2 SMSESSION cookies with request

    Posted Feb 26, 2017 04:53 PM

    Hi Anil,

     

    Let's continue it here..

     

    So enabling persistent cookie on TAI agent didnt' help.

     

    After enabling persistent cookie you see :

    [23 Feb 2017 21:23:09,774] [main] [INFO] High Level Agent configuration: persistent cookies set to default.
    You also say "I have another TAI agent( PRODUCT_UPDATE=0200 , PRODUCT_LABEL=211,) on which I have a ACO UseOnlyProxySESSIONCOOKIE to ENABLED. But my other TAI agent which is problematic does not like this and does nt even seem to load upon starting up. Do you know if this is version specific?
    by the way, issue is very specific to TAI only as I am unable to reproduce this with Policies that do not involve TAI.
    "


  • 5.  Re: 2 SMSESSION cookies with request

    Posted Feb 26, 2017 08:59 PM

    Hi Anil,

     

    "UseOnlyProxySESSIONCOOKIE" is not supported on ASA ACO. It's expected ASA not load the parameter. As you mentioned this is ASA specific use case, I presume you have another working ASA environment.

    If that's the case, compare between the working and non-working environment logs might give us some hints.

     

    Regards,

    Kar Meng



  • 6.  Re: 2 SMSESSION cookies with request

    Posted Mar 02, 2017 07:25 PM

    Thanks Ujwal/Kar Meng.

    By enabling persistentcookies and prevalidation, TAI is generating persistent cookies and resolved my issue. However, TAI still generated its SMSESSION which means I still have 2 SMSESSIONS. Since both of them are persistent, my issues is resolved.

     

    UseOnlyProxySESSIONCOOKIE is a valid ACO setting which I am using but I cant find documentation around it. I will create a ticker with CA to see if they could help. Thanks Ujwol for your timely response as usual.



  • 7.  Re: 2 SMSESSION cookies with request

    Posted Mar 02, 2017 11:35 PM

    No worries Anil. Happy to help