SDK Agent cannot decode SMSESSION Cookie after rolling 3 Times the Agent Keys

Document ID : KB000044595
Last Modified Date : 14/02/2018
Show Technical Document Details

Question :

  Running SDK Agent, once the Agent Keys have been rolled over two times,
  the decodeSSOToken() method isn't able to decode the SMSESSION cookie
  anymore and my SDK Agent always throws an exception.

  How often can the Agent Keys be rolled over before the SDK Agent cannot decode it anymore ?
  Two or three times?

  I'd say three times because there are 3 Keys : the PAST, CURRENT and FUTURE.

Environment :

  This applies to all Agent versions.

Answer :

   By design, if you roll 2 times the Agent Keys, then SDK Agent won't be able to decode the SMSESSION cookie anymore.

   1 - The SMSESSION cookie is encrypted with the Current Key (k1). (k0-k1-k2)
   2 - At the first roll, the Current Key value is set as the Old Key
       and the k0 old key isn't available anymore (k1-k2-k3).
   3 - At the second roll, the key value which has encrypted the SMSESSION
       cookie (k1) will not be available, and as such, the SMSESSION cookie cannot
       be decoded by the Web Agent (k2-k3-k4).