Previous Topic: Example: ASP Application with One Extra CookieNext Topic: Configure Apache Web Servers to Track Sessions With Multiple SAP Applications Hosted on the Same Server on UNIX

CA SiteMinder® SessionLinker GuideInstalling and Configuring the SessionLinkerHow to Configure your Web Server to use the SessionLinker

How to Configure your Web Server to use the SessionLinker

SessionLinker can protect session identifiers for multiple applications. However, each application must be configured separately.

To configure your web server to use the SessionLinker, use the Administrative UI to create a response that contains an active expression. Use a response group if you have many applications that use the same settings. Use the following example of an active expression as a guide to create your own:

< @ lib="npssessionlinker" func=Config" param="function_parameter;function_parameter" @>

The function_parameter uses the following name/value pairs:

COOKIE=cookie_name;

Specifies the name of the cookie from the third-party (foreign) application. If cookie names change, use an asterisk as a wildcard character. For example, if the cookies from your third party begin with APSESSION, use APPSESSION for the value of this setting.

Examples: Cookie Names

BLOT | NOBLOT;

(Optional) Specifies how the SessionLinker responds to invalid sessions. If the value of this parameter is set to BLOT, the user is granted access. The third party (foreign) session cookie is not passed through the web server to the target page. If the value of this parameter is set to NOBLOT, the user is redirected to URL specified in the URL setting. If the value of this setting is NOBLOT, set the URL parameter.

Default: BLOT

Example: (with multiple cookies) COOKIE1=TESTCOOKIE;NOBLOT1;URL1=/blot1.html;COOKIE2=TESTCOOKIE1;NOBLOT2;URL2=/blot2.html;COOKIE3=TESTCOOKIE2;BLOT3;URL3=/blot1.html

URL=url_name

Specifies a URL to which the SessionLinker redirects the user when an invalid session is detected. The web server also logs the redirection.

Note: If the NOBLOT option is used, this parameter needs a valid URL.

Example: URL=/InvalidSessionWarning.jsp

ORPHANTIMEOUT=seconds

Specifies the number of seconds that the SessionLinker maintains orphaned sessions.

Default: 86400 (the number of seconds in a 24 period)

Limits: Cannot be less than the maximum number of seconds that cookies from the third party (foreign) application are accepted.

COOKIESCOPE=number_of_characters;

(Optional) Specifies the number of characters in a URL, so that cookies used in more than area of a website can be distinguished. Suppose different applications use the same 15-character URL string as a prefix for naming its cookies. Use a larger value for the cookiescope setting. The larger number distinguishes between specific resources in other locations.

Examples of URLs and corresponding values:

  • /scripts/wgate/ (15-character prefix string)
  • /scripts/wgate/abc (18-character string)
  • /scripts/wgate/xyz (18-character string)

CA SiteMinder® uses this expression to call the config function in the npssessionlinker library. The function creates an HTTP Header labeled NPS_SESSION_LINKER, that contains the function parameters that you set in the response.

For example, an NPS_SESSION_LINKER HTTP response with typical settings could resemble the following:

<@ lib="npsessionLinker" func="Config" param="Cookie=APPSESSION;BLOT;URL=/example.asp" @>

More information:

Maintain Links to Multiple Cookies

Single Session Cookie Enforcement