Symantec Access Management

Hello,

We are facing one issue in application login where the application is protected by siteminder and using SPS as the reverse proxy.

The scenario is User A logs into the application, works as per his privileges and logs out. User B logs into the same application in the same browser without closing and reopening the browser.

User B gets the same view that User A last accessed, but after refreshing/clicking on any tab once, user B gets his own view.

User B is not able to perform any actions from User A's console but he is able to view the application-view for user A.

In the second case, the same application is using Apache as reverse proxy, in this case the previous user's view is never visible to the new user.

Please suggest, what could be the possible reason for this behavior, also how can this be resolved?

Regards,

Aditi

Hi Aditi,

Using fiddler can you check after the User A logs out SMSESSION cookie is deleted to "logged off"?

Regards,

Ujwol

Yes Ujwol, when user A logs out SMSESSION cookie is deleted to "logged off".

Regards,

Aditi

Hi Aditi,

What is the authentication scheme used? Looks like caching on the web server. Fiddler trace with the use case should give us better idea.

Regards,

Kar Meng

Hello Kar,

We are using a form based authentication scheme.

Please refer to the fiddler logs attached for reference.

Regards,

Aditi

Hi Aditi,

I have checked the attached Fiddler trace, and I do see the log off taking place correctly, however, when the second user logs in, I see there is the same JSESSIONID cookie maintained:
JSESSIONID=4A2B2BF9D0A5AD00CA9390A311561B19
JSESSIONID=4A2B2BF9D0A5AD00CA9390A311561B19

This is a Java cookie generated by the backend web server for session management which can explain the behavior you are seeing depending on the backend cache settings, and it should be removed when the session is closed on the backend, besides you logoff on SM side.

You may want to review your log out page to see how it is closing the session on the backend, and when calling the index JSP page for logout, it may contain code to invalidate the session or a page session=false to ensure it is being emptied as well.

I hope this helps.

Albert

Thank you Albert for the analysis!

But, for the same application when we are using apache as reverse proxy, the user view issue is not faced.

Is there any possibility that SPS is caching the JSESSIONID cookie for user A and not replacing it with JSESSIONID cookie for user B, because this is not happening in case of apache?

As soon as the user B will click on some tab or refresh the page, the view will be changed for User B.

Please suggest!

Regards,

Aditi

Hi Aditi,

In server.conf, do you have "enablecachepostdata" set to no (default value)? If you happen to set it to yes, try set to no.

  #This parameter is applicable to the caching of POST data.
  #"no"--- Default Value. Post data ia not cached by SPS.
  #"yes"--- POST data Caching enabled
  enablecachepostdata="no"

Regards,

Kar Meng

Hello Kar,

Yes, this value is set to "yes" in our case. But, it was changed to yes on suggestion of CA support in order to improve the performance of SPS.

Please suggest if setting it no will impact the performance of SPS in any way?

Regards,

Aditi

Hi Aditi,

The objective of setting enablecachepostdata="no" is to isolate if this parameter causing the issue. You can change it back to yes after the testing.

Regards,

Kar Meng

Aditi

We could also look at a Session Linking Solution which links SMSESSION to a Foreign Session (e.g. JSESSIONID).

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/ca-siteminder-sps-configuration/configuring-ca-siteminder-sps-to-support-the-sessionlinker

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/configure-web-agent-to-support-the-sessionlinker

Regards

Hubert