Symantec Access Management

  • Private Community
 View Only

  • 1.  SMSESSION cookie not present

    Posted Jun 12, 2018 08:34 PM

    We are seeing strange issue with one of our non-production environment.  Users would login to web application at https://app.example.com and then click on a hyperlink to: https://smfss.example.com/affwebservices/saml2sso?spid=xxxx.

     

    This no longer works because for some reason when the user first login to https://app.example.com and SMSESSION cookie is created at this point, but once they try to request: https://smfss.example.com/affwebservices/.... the SM web agent option pack at https://smfss.example.com says that it there is no SMSESSION cookie present so it redirect the user to login page.

     

    When the request leaves https://app.example.com the browser no longer has the SMSESSION cookie.  The only changes that was recently made was to change the DNS/URL previously from https://app.example.com to https://www.app.example.com.  This change was made in DNS and load balancer, but we really don't think this would cause the SMSESSION cookie to be restricted only to: https://app.example.com.

     

    Much appreciate you help on this!



  • 2.  Re: SMSESSION cookie not present
    Best Answer

    Broadcom Employee
    Posted Jun 12, 2018 08:45 PM

    Hi Duc Tran 

     

    Ah this one :-) - I pops up from time to time - this will probably be the cause : 

     

    You wrote: 

    The only changes that was recently made was to change the DNS/URL previously from https://app.example.com to https://www.app.example.com

     

    The cookie domain for SMSESSION defaults to the (host -1) domain

     

    So where it used to be
       set-cookie SMSESSION =*** domain=.example.com 

    it is now: 

        set-cookie SMSESSION =*** domain=.app.example.com 

     

    and so SMSESSION is then not sent to requests to the host smffs.example.com. since it is not in the .app.example.com domain.

     

     

    A fiddler trace, or the console trace in browser to view the set-cookie is good way to confirm.

     

    There are a number of ACO parametrers you can set. : 

    cookieDomain

    domainScope 

     

    in the agent to influence it, probably cookieDomain=.example.com would be the easiest - but depends on your setup.

     

    Cheers - Mark

     

     



  • 3.  Re: SMSESSION cookie not present

    Posted Jun 13, 2018 02:36 PM

    Mark,

     

    Very much appreciate your quick response and the very helpful information which resolved my issue.

     

    Thanks you!!