|
|
|
The following table illustrates the scenarios in which each session scheme is used. The session schemes are based on the sensitivity of resources on a virtual host.
|
Session Scheme |
Security Level |
Recommendation |
|---|---|---|
|
SSL Session ID |
High |
This scheme provides a clean and highly secure means of holding user sessions. Although the most secure of the available schemes, it is limited in scalability. All content must be served over SSL and the user must continue to access the same SPS server for the session to persist. Also, some browsers (some versions of IE), by default, terminate the SSL session after 2 minutes. This scheme is ideal for intranet and extranet applications with high security needs. |
|
SiteMinder Cookies |
Medium or High |
This scheme is the traditional SiteMinder session mechanism, which has proven highly secure in many enterprise deployments. For maximum security, the WebAgent SecureCookie setting are set to "Yes". |
|
IP Address |
Low |
This scheme is only for applications where users are retrieving information (with HTTP GET) from protected resources and not sending (with HTTP POST) information to a secure application. An example of an appropriate application would be an online library. An example of an in-appropriate application would be a bond trading application. |
|
Mini-Cookies |
Medium or High |
This scheme is ideal for applications where user clients accept cookies but are accessing the application over connections of limited speed and bandwidth. For maximum security, the WebAgent SecureCookie setting is set to "Yes". |
|
Simple URL Rewriting |
Medium |
This scheme is ideal for environments that do not support or want to use cookies. |
|
Device ID |
Medium |
This scheme is designed for wireless environments where a device ID is sent with every client request to identify a user. |
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |