AnsweredAssumed Answered

CA SSO : Query regarding SMSESSION cookie

Question asked by Dhi1ip on Dec 4, 2017
Latest reply on Dec 5, 2017 by Ujwol Shrestha



Assume that we have two applications A and B.

  • For both the applications, Protection Level is same and SessionGracePeriod is 30 seconds.
  • But, the Idle Timeout of application A is 1 hour whereas the Idle Timeout of application B is 5 minutes.


  • At 10:00 AM, we are logging into application A and SMSESSION cookie is getting generated.
  • At 10:05 AM, we are logging into application B in the same browser, (we are not prompted for credentials and existing session has been used).
  • We are not performing any activity till 10:15 AM.
  • Now, if we refresh application B at 10.15 AM, it is not prompting for credentials, meaning session is not getting expired (due to Idle Timeout) for application B.


I presume it is because SMSESSION has been created with Application A and the value of ATTR_IDLESESSIONTIMEOUT in SMSESSION will be 1 hour. Please correct me if I am wrong.


  1. Now, how to overcome this behavior? Do we have any parameter in ACO to control this?
  2. Also, if the SMSESSION cookie will not be updated with Idle Timeout of Application B, why am I getting the "Generated SMSESSION cookie" in Webagent trace log while launching application B? Has cookie been re-generated using the same values?
  3. First of all, on launching application B (after the SessionGracePeriod period), will webagent request the webserver to create a new SMSESSION cookie as I could see the Cookie Created time (in chrome browser) is getting updated? If yes, is there any specific reason for creating new cookie instead of updating the value of same/old cookie (in encrypted format)?