Previous Topic: Configure the SPS to Support the SessionLinkerNext Topic: What the SessionLinker Does Not Support

Administration GuideConfigure SPS to Support the SessionLinkerConfigure the SPS to Support the SessionLinkerHow the SessionLinker Works

How the SessionLinker Works

The SessionLinker synchronizes a SiteMinder session with a third-party application session for better security. If a user logs out of SiteMinder, the SessionLinker invalidates the related session of the third-party application.

When a user authenticates, SiteMinder assigns a unique session identifier to that user session. The session identifier, called the SiteMinder Session ID, remains constant for that user for the life of the user session. If the user logs out of SiteMinder through the Logout URL, SiteMinder deletes the SMSESSION cookie that SiteMinder uses to track the SiteMinder Session ID.

The SessionLinker module takes application session cookies and associates them, one by one, with a SiteMinder session. Once associated, the application cookie (referred to here as the foreign cookie) can only be used in conjunction with that particular SiteMinder session. The SessionLinker prevents attempts by other SiteMinder sessions to use the same foreign session.

To understand the SessionLinker operation, associate the SiteMinder session and corresponding foreign cookies that SiteMinder tracks together in a table, as shown in the following example:

SiteMinder Session ID

Foreign Cookie

ONE

ABCD

TWO

LMNO

THREE

PQRST

FOUR

VWXY

The SessionLinker uses the following process:

  1. The SessionLinker receives a request from a web server.
  2. The SessionLinker extracts the SiteMinder Session ID from the HTTP headers and the Foreign Cookie from all the incoming HTTP cookies.
  3. The SessionLinker compares the values that are presented from the web server against the contents of the table to determine whether the request must be allowed, as shown in the following examples:
    1. If the Session ID is FIVE and the Foreign Cookie is RSTU, SessionLinker inserts these values into the table.
    2. If the Session ID is SIX and the Foreign Cookie is ABCD, SessionLinker blocks the request because the Foreign Cookie ABCD is already associated with Session ONE.
    3. If the Session ID is ONE and the Foreign Cookie is HIJK, the old session is orphaned and SessionLinker updates the table to associate Session ID ONE with HIJK. When a session is orphaned, the Foreign Cookie can no longer be presented by anyone. This feature allows the SessionLinker to support applications that update the cookie during the user session.

The entire process is repeated for each Foreign Cookie. The resulting table may appear as follows:

SiteMinder Session ID

Foreign Cookie

***Orphaned***

ABCD

ONE

HIJK

TWO

LMNO

THREE

PQRST

FOUR

VWXY

FIVE

RSTU