Message Image

Skip main navigation (Press Enter).

Symantec Access Management

View Only

Back to discussions

Expand all | Collapse all

Is it secure to send siteminder user session ID as SM header response?

Jump to Best Answer

RashmeetDec 15, 2017 04:26 AM

Team, We have a requirement to send the siteminder user session ID to the application for some logic. ...

Chris BertagnolliDec 15, 2017 12:43 PMBest Answer

If it's in your domain and participating in SSO, wouldn't it already have the session ID (and encrypted ...

1. Is it secure to send siteminder user session ID as SM header response?

0 Recommend
Rashmeet
Posted Dec 15, 2017 04:26 AM

Reply Reply Privately
Team,

We have a requirement to send the siteminder user session ID to the application for some logic. Is it secure from security perspective to send the siteminder user session ID to the application via siteminder header response.

Any help will be greatly appreciated.

Thanks,
Rashmeet
2. Re: Is it secure to send siteminder user session ID as SM header response?
Best Answer

0 Recommend
Chris Bertagnolli
Posted Dec 15, 2017 12:43 PM

Reply Reply Privately
If it's in your domain and participating in SSO, wouldn't it already have the session ID (and encrypted cookie value)? It's also one of the default headers available to Web Agents (if not disabled in the ACO):

HTTP_SM_SERVERSESSIONID
Indicates a unique string that identifies a user session.

Sessions are important to protect, but so long as its sent securely in a header and the application handles it all safely not sure why it'd be a problem.

Copyright 2019. All rights reserved.

Powered by Higher Logic