I know SMTRYNO is used to store the failure login attempts. Is there any other way to achieve this same functionality using Siteminder without using this cookie?
Actually we need this to remediate the pen testing findings. Please advise.
What exactly are you trying to remediate ? Do you want to get rid of login failure tracking using cookie ?
You can also track the login failure on the server side by implement password policy.
so you can configure password policy to disable user login after say 3 successive failed login attempt and enable it after X minutes.
Does that work for you ?
Hi Ujwol Shrestha,
Thanks for your suggestion. Yes, I expect the options which you provided to me.
I would like to know, Does SMTRYNO cookie set default by Siteminder?
Does this SMTRYNO won't be set, if we would change the FCCCompatMode=YES in ACO? Also, Does SMTRYNO is set for all type of authentication scheme or only for HTML form based authentication scheme?
Is there any section in Siteminder documentation to check on this SMTRYNO or other cookies to understand it? It would be helpful for me.
Please find my answers below :
Ujwol => Yes, this is set by CA SSO web agent automatically If , the login page (login.fcc) has @smretries directive set to a value >0
Reference : Configure HTML Forms Authentication - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
smretriesIndicates the number of times a browser can try to log in. This directive acts as a counter; it is not a security mechanism. If you set this directive to 0, the number of log-in attempts is unlimited. If you set the number to 1 or greater, that indicates the number of log-in retries allowed. After you reach the limit, the browser displays the DynamicRetry.unauth page. This page can display a configured message explaining why the login failed. For smretries to be useful, configure this unauthorized file.
You can use smretries to improve the user experience, for example:
After a failed log-in attempt, you can display a message in the browser instructing the user what action to take.
After a specific number is reached, display an invalid login message and redirect the user back to the login page to try again.
Ujwol => It will still set the SMTRYNO cookie , as long as you have @smretries directive in login.fcc
Ujwol => It is set only for HTLM form based authentication scheme.
Ujwol => For SMTRYNO refer : Configure HTML Forms Authentication - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation For any other cookies please refer to documentation. If you couldn't find details of any specific cookie , let me know.
This is really helpful, however i see the below issue while using SMTRYNO cookie. I have explained the issue along with the actual application flow.
Question: How can we not show the invalid credentials error message at step #6. For this to happen, the SMTRYNO cookie should be set to 0 when the user clicks on the application logo or we have change the code to throw the error message based on the combination of SMTRYNO cookie and some other cookie?
I am sure other clients also must have faced this issue. Any suggestions ?
Thank you so much for the information provided it to me.
Is it possible not to show the cookie domain name for SMTRYNO Cookie?
Any suggestions on this?
Glad to help. If your question has been answered, could you please mark my answer as correct to close this thread ?