Symantec Access Management

Hello,

Can someone help me to understand Differences between persistence session and non persistence session

in depth, 

Thank you so much in advance

Shankar

CA SiteMinder® implements session management using session tickets. A session ticket contains basic information about a user and the authentication information for that user. The session ticket is used to identify the session of the user across all sites in a single sign–on CA SiteMinder® environment. Session tickets are encrypted and only the Policy Server can read/validate them. CA SiteMinder® web agents use session tickets to identify users and provide session information to the Policy Server.

The session ticket is handled differently depending upon whether the session is persistent or non–persistent.

Note: Non–persistent and persistent cookies are unrelated to the CA SiteMinder® session of the user being non–persistent or persistent.

The session ticket data is used as an index into the cache of the web agent, which contains the user session data. If a cookie is written, no user–specific data is kept in the cookie itself. The web agent is responsible for validating the session and enforcing the session timeouts.

• Non–persistent session

The web agent places the session ticket in a cookie. The cookie contains the user session data; no user-specific data is kept in the cookie itself. The web agent is responsible for validating the cookie and enforcing session timeouts.  There is no session store database involved.

• Persistent Session

The web agent places the session ticket in a session store database (DataBase or CA Directory) and, if possible, in an optional cookie on the client.

With session store database in use, user login performance can be affected to some degree.

 

The session ticket data is used as an index into the cache of the web agent, which contains the user session data. If a cookie is written, no user–specific data is kept in the cookie itself. The web agent is responsible for validating the session and enforcing the session timeouts.

 

Hope this helps.

 

Hongxu

Hi

I have several questions and I hope you can help me.

Does smsession ticket regenerates each n secs as established in sessiongraceperiod value even if I have configured persistent sessions?

Is there any relation between smSessionBlob attribute value in session store and SMSESSION cookie value? 

How can i look for a defined user persistent session in session store?

Thank you very much.

Adding to what Hongxu said, for me the single most value add of having persistent session is the ability to implement full logout and thus ensuring session protection.

If the non-persistent session cookie is logged off, it can be stole and replayed until its idle/max expiry timeout.

However, if the persistent session cookie is logged off, even if is stolen , it can't be replayed as it will be then validated against session store.

So, having persistent session with shorter validation period will always ensure that cookie can't be replayed.

Also, for some of the other more secure feature such as "Enhanced Session Assurance", having persistent session is a pre-requisite.

Thank you so much Hongxu and Ujwol, this is exactly what I want.

Much appreciated for the information.

On Wed, Feb 15, 2017 at 6:34 AM, Ujwol <