When a Custom Agent receives an SMSESSION cookie, will the SessionSpec and SessionID change or not by design ?
The SessionSpec will change if the Web Agent does not have it in its cache. The SessionID will be kept the same.
Here is the flow of an authentication and authorization process in light of the SessionSpec :
1. The Agent collects the user’s credentials.
2. The Agent sends the Login() request to the
Policy Server passing the received credentials.
The Policy Server verifies the credentials and
creates a Session Spec that represents the newly
created user session. The encrypted Session Spec
is sent back to the Agent together with the Session
ID and other session related parameters (idle
timeout, expiration timeout, etc.).
3. The Agent embeds the Session ID and the Session
Spec in an encrypted SMSESSION cookie that is sent
back to the user’s browser. The Agents also saves
the Session ID and the Session Spec in its User
4. Any time when an authenticated user accesses
the Web site, the browser submits the SMSESSION
cookie together with a HTTP request.
5. When the Agent receives the SMSESSION cookie, it
extracts the Session ID and the Session Spec it
checks them against the values stored in the User
Session Cache. If the Agent cache doesn’t contain
corresponding entry, the Agent uses the Validate()
call to pass the Session ID and the Session Spec
to the Policy Server for validation. If the
validation succeeds, the Policy Server returns the
updated Session Spec to the Agent. The Session ID
is not modified in the course of validation.
The SessionSpec gets updated each time the Web Agent needs to validate the Session with the Policy Server and cannot refer to the object in its cache.