Some times(most times) when I authenticate to Policy server(tried IWA/Basic) , I get 2 SMSESSION cookies. I am not sure since when it started to happen but only realized this week as we tried to implement persisent sessions. For every authentication, there is a persistent session created in session store, which I can confirm by looking at the count. Session timeout is set to 90 days in SiteMinder resource realm. However , upon authentication when the cookies are set in my browser, I have 2 SMSESSION cookies, one of them has 'Expiry Date'(indicating that its a persistent cookie) , and the other SMSESSION has no 'Expiry' which means browser will discard it upon closing the browser. Upon subsequent HTTP transactions of the same request, browser keeps one of the 2 SMSESSIONs. If it chooses to keep the one with 'Expiry Date', then my session continues even after I restart my browser multiple times. This will work until I clear my browser cache manually.
However, if my browser chooses to keep the one without 'Expiry Date', then my session is lost upon closing the browser. What can be happening here?
Product Name=CA SiteMinder Web Agent
ProductName=CA SiteMinder Policy Server
Can you upload fiddler ?
For other's benefit , we idenfied the RCA for this ..
Here is summary..
So basically when the NTC challenge is compelete, both the front/back agent sets SMSESSION cookie for the same cookie domain. So, eventually the browser takes only one cookie which happens to be the one set by TAI agent and is Non persistent.
Configure TAI agent to also set Persistent Cookie.
Let's continue it here..
So enabling persistent cookie on TAI agent didnt' help.
After enabling persistent cookie you see :
"UseOnlyProxySESSIONCOOKIE" is not supported on ASA ACO. It's expected ASA not load the parameter. As you mentioned this is ASA specific use case, I presume you have another working ASA environment.
If that's the case, compare between the working and non-working environment logs might give us some hints.
Thanks Ujwal/Kar Meng.
By enabling persistentcookies and prevalidation, TAI is generating persistent cookies and resolved my issue. However, TAI still generated its SMSESSION which means I still have 2 SMSESSIONS. Since both of them are persistent, my issues is resolved.
UseOnlyProxySESSIONCOOKIE is a valid ACO setting which I am using but I cant find documentation around it. I will create a ticker with CA to see if they could help. Thanks Ujwol for your timely response as usual.
No worries Anil. Happy to help