How is the resolved Cookie Domain determined for a Single Sign On (fka SiteMinder) Agent?

Document ID : KB000045343
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue: 

For some reason, 2 SMSESSION cookies are created; one for domain A and the other for a subdomain of A.

 

Environment:

Single Sign On (fka SiteMinder)

 

Cause:

This issue is the result of two or more Single Sign On (fka SiteMinder) Agents being involved in the flow of a request; for instance a Standard Web Agent on a proxy to an Application Server with a Single Sign On Application Server Agent installed and the Cookie Domain configured for both Agents does not match. Though you will not see two cookie created on authentication, it is possible to have both Agents issue a "Set-Cookie" statement back to the browser in the same response to "update" the SMSESSION cookie. This is encountered when the front-end Web Agent is configured with a Cookie Domain that is one or more "dots" less than the Cookie Domain at the back-end Agent. A Cookie that is set in the ".b.com" Cookie Domain will be presented by the browser in a request to a Web\Application Server in the ".a.b.com" domain. So, if the front-end Agent is creating a cookie in the ".b.com" Cookie Domain and the back-end Agent is creating cookies in the ".a.b.com" Cookie Domain, it is possible to get two cookies at the browser that are "appropriate" for the same request to a Web\Application Server in the ".a.b.com" domain. There is no guarantee which cookie will be presented first in this situation and processed by the Agents.

 

Resolution:

Ensure that both Agents in the flow have the same settings for the CookieDomain and CookieDomainScope parameters in their Agent Configuration Objects (ACO). The SMSESSION cookies set by a Web Agent are governed by the “CookieDomain” and “CookieDomainScope” ACO settings. If “CookieDomain” is set to a value, then it does not matter what the “CookieDomainScope” is set to; the Agent will create cookies in the domain defined in the “CookieDomain” setting. If the "CookieDomain" is set to a value of "NONE", then the cookie is created without a Domain making it a "Host-Only" cookie.

If “CookieDomain” is not set to a value (BLANK), then the SMSESSION cookie will be set based on the Resolved Host of the request and the “CookieDomainScope” setting.

 

If the Resolved Host is “mymachine.a.b.c.d.e.com”, CookieDomain is <Blank>, and the CookieDomainScope is;

 

"0" - the Cookie Domain would be “.a.b.c.d.e.com”

"1" - invalid configuration, you cannot use a CookieDomainScope of “1”; you cannot create a Cookie in the “.com” Top level Domain.

"2" - the Cookie Domain would be “.e.com”

"3" - the Cookie Domain would be “.d.e.com”

"4" - the Cookie Domain would be “.c.d.e.com”

"5" - the Cookie Domain would be ".b.c.d.e.com"

"6" - the Cookie Domain would be “.a.b.c.d.e.com”

"7" - the Cookie Domain would not be set (Host-Only cookie)