Symantec Access Management

Expand all | Collapse all

Killing SMSESSION  COOKIE using a jsp file

Jump to Best Answer
  • 1.  Killing SMSESSION  COOKIE using a jsp file

    Posted 04-10-2018 10:47 AM

    Hello,
    I have recently been facing the issue above when trying to redirect any user from my WebAccess Controlinfrastructure to my Web Access Management Infrastructure in order to be authenticated with a higher Authentication Level
    In fact the first user gets authenticated and then got an SMSESSION with an authentication Level of 5.
    After that the user tries to access an application that needs a higher authentication level
    So the user is being redirected to the WAM I, nfrasturctureto GET an SMESSION cookie with a higher authentication Level
    The problem is that after getting a SAML Assertion

     

    between the WAM and the WAC infrastructure, we could easily generate the Smsession cookie in the Federation domaine.
    But whenever we had already generated a cookie in the WAC domain within AuthentLevel of 5, our cookie provider does not modifier the Authentication Level, it has only validated the session of the user.
    So we still have the SMSESSION with Authentication Level of 5, and then could not Access to the Application ant then the authentication scheme is called Back, so we went in an undetermined loop.
    Could anyone help us on how to kill the SMSESSION cookie before going to the WAM infrastructure.

     

    Thank you.

     

    Policy Server Version : 12.5.0

    WebAgent version : SiteMinder APACHE 2.2 WebAgent, Version 12.0 QMR03, Update HF-13, Label 950



  • 2.  Re: Killing SMSESSION  COOKIE using a jsp file
    Best Answer

    Posted 04-23-2018 10:46 AM

    To kill an SMSESSION cookie you just need to set a new cookie with the name SMSESSION and a value like "Logged Out", with / as the path and appropriate domain. That will overwrite the existing SMSESSION cookie with a value that the web agent will reject.