Web Agent :: SMSESSION : SessionSpec and SessionID

Document ID : KB000030118
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

When a Custom Agent receives an SMSESSION cookie, will the SessionSpec and SessionID change or not by design ?

Answer:

The SessionSpec will change if the Web Agent does not have it in its cache. The SessionID will be kept the same.

Here is the flow of an authentication and authorization process in light of the SessionSpec :

     1. The Agent collects the user’s credentials.

     2. The Agent sends the Login() request to the
         Policy Server passing the received credentials.
         The Policy Server verifies the credentials and
         creates a Session Spec that represents the newly
         created user session. The encrypted Session Spec
         is sent back to the Agent together with the Session
         ID and other session related parameters (idle
         timeout, expiration timeout, etc.).

     3. The Agent embeds the Session ID and the Session
         Spec in an encrypted SMSESSION cookie that is sent
         back to the user’s browser. The Agents also saves
         the Session ID and the Session Spec in its User
         Session Cache.

     4. Any time when an authenticated user accesses
         the Web site, the browser submits the SMSESSION
         cookie together with a HTTP request.

     5. When the Agent receives the SMSESSION cookie, it
         extracts the Session ID and the Session Spec it
         checks them against the values stored in the User
         Session Cache. If the Agent cache doesn’t contain
         corresponding entry, the Agent uses the Validate()
         call to pass the Session ID and the Session Spec
         to the Policy Server for validation. If the
         validation succeeds, the Policy Server returns the
         updated Session Spec to the Agent. The Session ID
         is not modified in the course of validation.

The SessionSpec gets updated each time the Web Agent needs to validate the Session with the Policy Server and cannot refer to the object in its cache.