Symantec Access Management

  • Private Community

  • 1.  Multiple set-cookie for SMSESSION

    Broadcom Employee
    Posted May 18, 2018 11:15 AM
      |   view attached

    I discovered a strange situation causing me some trouble in managing the application logout.

     

    Sometime (not always) when the user selects the logout page, he gets in  the response 2 set-cookie commands:

    - the first is setting the value LOGGEDOFF

    - the second is setting a new cookie value;

     

    as a result the browser set the second value and the session remains still valid.

     

    Any idea about this behavior?

    Any possible configuration to check?



  • 2.  Re: Multiple set-cookie for SMSESSION

    Posted May 18, 2018 12:10 PM

    Are we sure the logout URL is considered / configured to be an UNPROTECTED resource ?

     

    Did we check the Trace log to see what the trace logging states.



  • 3.  Re: Multiple set-cookie for SMSESSION

    Broadcom Employee
    Posted May 18, 2018 12:15 PM

    Dennis,

    well, the protected realm is /area-riservata and the logout url is inside it (/area-riservata/logout).

    For this reason I defined a realm specifically for the logout url and defined it as unprotected. 

    do you think it could not be enough?



  • 4.  Re: Multiple set-cookie for SMSESSION

    Posted May 18, 2018 12:20 PM

    The logoutURI is defined as a ACO parameter configuration. So WebAgent decides that it needs to logout the Cookie. But when WebAgent communicates with Policy Server to check for /area-riservata/logout it may be thinking otherwise. I see you have defined a realm to unprotect /area-riservata/logout. Hence I requested to check the WebAgent trace log. The trace log would have the info.

     

    Also could we test using setting IgnoreURL=/area-riservata/logout in the Agent Configuration Object (In addition to LogoffURI=/area-riservata/logout). See if this resolves OR changes the behavior. That way the WebAgent won't ask the Policy Server for /area-riservata/logout; whether is it protected OR not. 



  • 5.  Re: Multiple set-cookie for SMSESSION

    Broadcom Employee
    Posted May 18, 2018 12:53 PM

    Good point. 

    I set it and I will check if it occurs again.



  • 6.  Re: Multiple set-cookie for SMSESSION

    Posted May 18, 2018 01:16 PM
    If I am not mistaken, url specified in LogOffUri ACO is implicitly unprotected. 


    Also, there is no way same webagent will set double SMSESSION cookie for the same request.


    99.99% of the time I have seen this happening is when there are multiple webagents involved. Say a frontend (proxy) and the backend webagent. So good to check logs from both.




  • 7.  Re: Multiple set-cookie for SMSESSION
    Best Answer

    Posted May 21, 2018 12:51 AM

    Are you using CA Access Gateway 12.7/12.7 SP1 ?

     

    I just noticed the following defect fixed in 12.7 SP2

    Defects Fixed in 12.7.02 - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    00925301,

    00847757,

    00842961

    		DE323842

    CA Access Gateway sends two SMSESSION cookies to backend server.



  • 8.  Re: Multiple set-cookie for SMSESSION

    Broadcom Employee
    Posted May 21, 2018 02:42 AM

    I'm not using a CA Access Gateway, but I have Policy server at that version.

    I'm checking your previous suggestion. I will analyze further this point if the problem persists.