Symantec Access Management

 View Only
  • 1.  CA SPS: Enable Rewrite Cookie Domain parameter

    Posted Sep 02, 2016 06:53 AM

    Hi all,

    I would have more information about "Enable Rewrite Cookie Domain" SPS parameter.

    The documentation states:

     

    enablerewritecookiedomain
    Instructs the SPS to rewrite the cookie domain from the domain set by the server sitting behind the proxy to the domain of the initial request.

     

     

    Here my use case condition:

    • I use the SPS to proxy (forward) requests to backend web server
    • The SPS use the domain ".domain-sps.com"
    • The Web Agent for the SPS is disabled
    • The backend web server use the domain ".internal-domain.com"
    • The Web Agent for the backend server is enabled
    • The Web Agent for the backend server is configured with the following parameters:
      • CookieDomain: .internal-domain.com
      • CookieDomainScope: 2
    • The Web Agent for the backend server protects the resource /dummy/*

     

    I know that for best practice the web agent should be enabled on the SPS and not on the backend server, but I have no any other chance.

     

    Trying to access the protected resource via CA SPS (with the URL http://app.domain-sps.com/dummy/resource.html), the Web Agent installed on backend web server redirect the user to the authentication page. After successful authentication the backend web agent set the SMSESSION with the domain ".internal-domain.com" and redirect the client to original protected resource. The client requests once again the protected resource (http://app.domain-sps.com/dummy/resource.html) but does not send the SMSESSION because the domain in the cookie (.internal-domain.com) is different from the one requested (.domain-sps.com). Due to this the backend web agent promts the user with the login form once again.

     

    Honestly this makes sense to me, but I hoped that the with the paramenter enablerewritecookiedomain=yes the SPS would rewrite the cookie domain.

     

    Does the "Enable Rewrite Cookie Domain" work only for third party cookies and not for SMSESSION?

    Any other suggestion/information about?

     

    Thanks in advance,

    Daniele



  • 2.  Re: CA SPS: Enable Rewrite Cookie Domain parameter
    Best Answer

    Broadcom Employee
    Posted Sep 04, 2016 07:21 PM

    Hi Daniele

     

    There is a quirk, in SPS that : 

        enablerewritecookiedomain=yes

     

    will only works when the The Web Agent for the SPS is enabled.

     

    I don't believe that should be the case, so my personal opinion is that it is a bug, but that is how it currently works.

     

    The handing of SMSESSION may be special, but from what your describing above it would seem the rewrite of the domains would not be occurring even for normal set-cookie commands. 

     

    Are you able to enable the webagent, (but perhaps make the resources unprotected) in the SPS to see if that works for you? 

     

    I have a related case I am working on at the moment (where if you have host only set-cookie, which has no domain, then sometimes you may still want SPS to write the new domain).  So otherwise, If you want we can open a support case and persue it as product bug. 

     

    Cheers - Mark



  • 3.  Re: CA SPS: Enable Rewrite Cookie Domain parameter

    Posted Sep 09, 2016 08:58 AM

    Hi Mark,

    first of all sorry for the delay in response.

    Unfortunatelly at the moment I'm not able to enable the webagent in the SPS (as you suggested); hence I cannot verify the enablerewritecookiedomain behaviour for normal set-cookie commands.

     

    As soon as I can do it, I will try and I will update this post.

     

    Thanks again for your help.

    Daniele