Web Agent GuidesWeb Agent Configuration GuideProtecting Web Applications › Header Variables and End-User IP Address Validation

Previous Topic: Extract HTTP Headers Using ASP

Next Topic: How Custom Headers Validate IP Addresses

Header Variables and End-User IP Address Validation

When a SiteMinder Web Agent receives a request that follows an initial request by that same user, the Agent validates the session cookie sent with the subsequent request by comparing the IP address of the requesting user with the IP address encrypted inside the session cookie. The address inside the cookie is generated by the Agent during the user's initial request.

Mechanisms used to balance and manage incoming network traffic, such as firewalls, load balancers, cache devices, and proxies can alter the user's IP address or make it appear as if all incoming requests are coming from a single or small group of IP addresses. As a result, the Web Agent's IP checking becomes ineffective. The Web Agent can now perform IP checking in these network environments using a custom HTTP header and a configurable list of safe proxy IP addresses.

The following table lists the terminology for new IP checking functionality.

Term

Definition

HTTP Request Header

A name/value pair that describes a single element of an HTTP request.

Custom IP Header

A user-defined HTTP request header used by intermediate HTTP network applications or hardware devices to store the requestor's IP address.

IP Checking

Feature that enables the Web Agent to check requests for authenticity by comparing the REMOTE_ADDR in the request with the REMOTE_ADDR value stored in the SMSESSION cookie, after an initial request. This feature is also known as IP validation.

REMOTE_ADDR

web server variable representing the IP address of the HTTP client making a request to the web server. Also known as REMOTE_IP or CLIENT_IP. This differs from the Requestor IP Address when a proxy server, NAT firewall, or other network service or device sits between the requestor and the target web server.

Requestor

The initiator of an HTTP request, typically a user at a browser.

Requestor IP Address

The IP address of the user making the original HTTP request.

Single Sign-on

Feature that requires a user to enter credentials for secure access to a protected Web site only once during a session.

SMSESSION cookie

HTTP mechanism used by Web Agents to track single sign-on state.

Copyright © 2010 CA. All rights reserved. Email CA about this topic