Forum Discussion
alex100_194614
Nimbostratus
NimbostratusAPM SSO Domain Cookie Issue
Hi all,
I am running into the issue with SSO domain cookie. Let's say we have several sites which all use SSO for single domain mycompany.com So, single sign on works fine between the sites which it's configured for: site1.mycompany.com, site2.mycompany.com and site3.mycompany.com. However, in the same domain we also have number of applications, for example mysite.mycompany.com which sit behind APM. When user is logged in to site1.mycompany.com and tries to access mysite.mycompany.com in new browser tab, he or she gets presented with error message informing that "Your session can not be established." Session reference number corresponding content of LastMRH_Session cookie is also displayed. So it seems like some session cookie clash resulting in broken session. Has anyone been able to find a work around it? Unfortunately, using different domains is not an option for me.
Thanks
Do you have the three hosts defined in the cookie's host list? Are they defined as hosts and not domains?
If you have a domain cookie for mycompany.com, there's no way to prevent it from being sent to mysite.mycompany.com. However, you could add an irule to mysite.mycompany.com that detects whether an access session is started or not and ignores the cookie appropriately:
--
when HTTP_REQUEST { if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } { log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI" HTTP::close here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over HTTP::respond 302 Location "/my.logout.php3" } }
