Hi All -
Could you please have a look at the below issue and provide your thoughts.
Below is the scenario / issue :
1. API Gateway has a service called authenticate to validate the user's credentials and to send the SMSESSION cookie as a response
2. A Single Page Application (SPA) calls the API Gateway's authenticate service with valid user credentials
3. API Gateway validates the user's credentials and is able to send the SMSESSION cookie in Response Cookies for that authenticate service. I am able to see the cookie in Developer's Tool as well . Assume that the SMSESSION cookie domain is .testdomain.com
So far so good.
4. Now SPA redirects the user to the protected URL as the authentication is successful. For ex, the protected URL is https://dev.testdomain.com/protect/userprofile.html
5.For some reason, the SMSESSION cookie is NOT available on the https://dev.testdomain.com/protect/userprofile.html URL and the siteminder policy server is redirecting the user to the login page by assuming that there is no valid SMSESSION in the browser.
Issue : Why is the SMSESSION cookie not available for the subsequent URLs even though the SMSESSION cookie is available on the same domain on the step # 3 above.
Any quick help is greatly appreciated as it is a critical issue for us. Thank you
Please let me know for any further details.
Thanks & Regards,
Can you verify in the Web console in the network request if the browser is including the SMSESSION cookie in the request to the protected url?
It could be a issue with how the cookie is being generate and its not being sent at all, or its being rejected and user is being redirected for authentication.
Yes there can be variety of reasons, either SMSESSION cookie is not sent, or it is rejected when it gets there - but console log (and or fiddler trace, since console does not quite show 401 responses so well). will help isolate it.
Cheers - Mark
Are you able to solve this issue. Could you share your workaround?
I was having similar issue, your solution might help. Thanks in advance
I don't know what the answer was in the original case, but if you have similar issue, where you see set-cookie SMSESSION = *** , but the SMSESSION is not sent back to site on subsequent requests. Then there is somethign about (or wrong) with the set-cookie command, and it did not take.
There can be a bunch of reasons : some are :
a) /secure and sending back to http site,
b1) wrong domain domain set to = .x.x and request from domian=.y.y, b2) domain missing leading ".", or missing domain, means is host only cookie, so not sent to other host in domain.
b3) Chome rejects set-cookie from some .amazon.com subdomains (compute or something like that)
So best to look carefully at the Set-Cookie rquest you got back, and also check the F12 console for errors.
Post fiddler/ .har trace here is you want and can check it.