I am using Siteminder 12.5. In my setup, when a user logs in, we set a number of custom session cookies. We would like to set one persistent cookie. This cookie would be used by our web analytics tool for page view tracking. If a user logs out of Siteminder, restarts the browser, etc, we want this one cookie to remain. We want our web analytics tool to continue tracking the user after they have logged out from Siteminder.
Is there a way to have Siteminder set one custom cookie that persists and still have the other cookies remain session cookies?
By Persistent do you mean Cookie on Users Browser OR also on Users Drive.
You could set a HTTP_COOKIE (on User's Browser) response using siteminder responses as part of successful authentication event (OnAuthAccept). As long as the User's browser is open, even if he logs out from SiteMinder (SiteMinder session cookie are killed); the Response Cookie would be present. However if he closes the browser, then I guess that cookie is lost.
You can name this cookie and set any value you'd like (either Static or UserAttribute from UserStore).
Remember this Cookie would be a persistent cookie which is set using responses. Hence make sure you are not exposing any identity threats by setting values that could compromise. There are also way / tricks to reset the Cookie Value (e.g. just before logout OR on accessing a particular resource protected by SiteMinder). But these are solution designs and care should be taken whilst doing these custom solutions.
By persistent, I mean I want to the cookie to expire in a future date (ie 1/1/2027) and not get lost when the browser is closed.
This cookie would not expose any data that could compromise the user.
The problem is I don't see how to set the cookie expiration date for just one cookie.
I think I figured it out. In the Advanced section of the Response attribute setup, I added the cookie's expire date. That seems to carry over. Now for this one cookie the expiration date is set to 1/5/25 and it stays even when I close/restart the browser. The other Siteminder cookies get lost when I restart the browser (which is what I want).
Can anyone see any reason I shouldn't go this route?
I don't see any reason why not; unless the data for which the cookie is going to be used has sensitive information OR the cookie itself has sensitive information. If the security side is evaluated this looks good to go.