Why is SMSESSION cookie gone missing

Document ID : KB000108967
Last Modified Date : 01/08/2018
Show Technical Document Details
Introduction:
SMSESSION cookie gets lost during during login process and user gets challenged again.
 
Question:
Why is SMSESSION cookie not submitted for certain sites during login process? (Which is causing a redirect loop for login)

Use case:

Protected site1: https://www.test.lab/protected/
Protected site2: https://application.test.lab/protected/
Login site: https://login.test.lab/siteminderagent/forms/login.fcc

User access site1 and get redirected to login page.
User submit credentials and gets access to site1 successfully.
User then access site2 and gets redirected to login page.
From header trace, SMSESSION cookie was successfully set and submitted to site1 and login site.
SMSESSION gets lost when accessing site2.
Environment:
Internet Explorer is used.


 
Answer:
The reason why the browser is not submitting cookie can be many reasons but when Internet Explorer is involved you need to check if all those sites are registered in the same Zone.
In the above use case, it is highly likely that site1 and login site are registered in the "Local Intranet" or "Trusted Sites" zone while site2 is "Internet" zone or not registered in any sites at all.

IE maintains cookies based on the Zones and do not share the cookies if the zones do not match.
site1 and login site are in Trusted Sites zone so the SMSESSION cookie will be submitted if the cookie was set in this zone.
If site2 is in a different zone, even if the cookie domain and path and secure flag match, the cookie would not be submitted.

Following article describes in more detail.
https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
Additional Information:
Microsoft Developer Blog: https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/