CA SiteMinder® SessionLinker Guide › SessionLinker › How the SessionLinker Works

How the SessionLinker Works

The CA SiteMinder® SessionLinker synchronizes the CA SiteMinder® session with the third-party application session for better security. For example, if a user logs out of the third-party application, the CA SiteMinder® SessionLinker logs the user out of CA SiteMinder®. Conversely, if a user logs out of CA SiteMinder®, the SessionLinker invalidates the related session of the third-party application.

When a user authenticates, SiteMinder assigns a unique session identifier to that user’s session. This session identifier, called the SiteMinder Session ID, remains constant for that user for the life of the user’s session. Logging out of SiteMinder by accessing the Logout URL does not necessarily release this session identifier; instead, it deletes the SMSESSION cookie that SiteMinder uses to track the session identifier.

The SessionLinker module takes application session cookies and associates them, one by one, with a SiteMinder session. Once associated, the application cookie (referred to here as the foreign cookie) can only be used in conjunction with that particular SiteMinder session. Attempts by other SiteMinder sessions to use the same foreign session will be prevented by SessionLinker.

The SessionLinker’s operation is easier to understand if you associate the CA SiteMinder® session and corresponding foreign cookies that CA SiteMinder® tracks together in a table, as shown in the following example:

The SessionLinker uses the following process:

1. The SessionLinker receives a request from a web server.
2. The SessionLinker extracts the SiteMinder Session ID from the HTTP headers and the Foreign Cookie from all incoming HTTP cookies.
3. The SessionLinker compares the values presented from the web server against the contents of the table to determine whether the request should be allowed, as shown in the following examples:
   • If the Session ID is FIVE and the Foreign Cookie is RSTU, SessionLinker inserts these values into the table.
   • If the Session ID is SIX and the Foreign Cookie is ABCD, SessionLinker blocks this because the Foreign Cookie ABCD is already associated with Session ONE.
   • If the Session ID is ONE and the Foreign Cookie is HIJK, the old session is orphaned and SessionLinker updates the table to associate Session ID ONE with HIJK. When a session is orphaned, the Foreign Cookie can no longer be presented by anyone. This feature allows the SessionLinker to support applications that update the cookie during the user’s session.

   Because SessionLinker supports multiple Foreign Cookies simultaneously, the entire process is repeated for each Foreign Cookie. The resulting table might appear as follows: