Layer7 Access Management

Expand all | Collapse all

Is it secure to send siteminder user session ID as SM header response?

Jump to Best Answer
  • 1.  Is it secure to send siteminder user session ID as SM header response?

    Posted 12-15-2017 04:26 AM

    Team,

     

    We have a requirement to send the siteminder user session ID to the application for some logic. Is it secure from security perspective to send the siteminder user session ID to the application via siteminder header response.

     

    Any help will be greatly appreciated.

     

    Thanks,

    Rashmeet



  • 2.  Re: Is it secure to send siteminder user session ID as SM header response?
    Best Answer

    Posted 12-15-2017 12:43 PM

    If it's in your domain and participating in SSO, wouldn't it already have the session ID (and encrypted cookie value)? It's also one of the default headers available to Web Agents (if not disabled in the ACO):

     

    HTTP_SM_SERVERSESSIONID

    Indicates a unique string that identifies a user session.

     

    Sessions are important to protect, but so long as its sent securely in a header and the application handles it all safely not sure why it'd be a problem.