We are seeing strange issue with one of our non-production environment. Users would login to web application at https://app.example.com and then click on a hyperlink to: https://smfss.example.com/affwebservices/saml2sso?spid=xxxx.
This no longer works because for some reason when the user first login to https://app.example.com and SMSESSION cookie is created at this point, but once they try to request: https://smfss.example.com/affwebservices/.... the SM web agent option pack at https://smfss.example.com says that it there is no SMSESSION cookie present so it redirect the user to login page.
When the request leaves https://app.example.com the browser no longer has the SMSESSION cookie. The only changes that was recently made was to change the DNS/URL previously from https://app.example.com to https://www.app.example.com. This change was made in DNS and load balancer, but we really don't think this would cause the SMSESSION cookie to be restricted only to: https://app.example.com.
Much appreciate you help on this!
Hi Duc Tran
Ah this one :-) - I pops up from time to time - this will probably be the cause :
The only changes that was recently made was to change the DNS/URL previously from https://app.example.com to https://www.app.example.com.
The cookie domain for SMSESSION defaults to the (host -1) domain
So where it used to be set-cookie SMSESSION =*** domain=.example.com
it is now:
set-cookie SMSESSION =*** domain=.app.example.com
and so SMSESSION is then not sent to requests to the host smffs.example.com. since it is not in the .app.example.com domain.
A fiddler trace, or the console trace in browser to view the set-cookie is good way to confirm.
There are a number of ACO parametrers you can set. :
in the agent to influence it, probably cookieDomain=.example.com would be the easiest - but depends on your setup.
Cheers - Mark
Very much appreciate your quick response and the very helpful information which resolved my issue.