Forum Discussion

Sam_Hall's avatar
Sam_Hall
Icon for Nimbostratus rankNimbostratus
Feb 07, 2018

Ensure the Integrity of Multi-Domain Access Policy Sessions

On very rare occasions it seems it's possible for a user to trigger additional APM sessions in the same browsing session. I'm still not sure how they manage to do this, but it does happen now and then. I'd like to be able to assume a single APM session across all authentication domains in a single browsing session. This would allow us to safely implement some cross-site communication free from any inconsistencies caused by session mismatches.

 

Fortunately, since all our authentication domains are subdomains of the same base domain, it seems I can set a domain cookie via an irule for later comparison. So my current idea is to set a cookie on the base domain exposed to every subdomain. Probably the last 8 characters of the MRHSession session cookie string, similar to that of the LastMRH_Session cookie. Then on each HTTP request I can compare that cookie with the current session and kill the session if there is a mismatch.

 

The problem is I'm not sure where I can reliably set a cookie during or immediately after the APM login process. APM events don't allow me to set cookies and once the user gets past the login screen they often get redirected immediately to a path on one of the secondary authentication domains. Injecting some javascript in the login page template might work, but it also seems like a pretty bad idea.

 

No RepliesBe the first to reply