SiteMinder implements session management using session tickets. A session ticket contains basic information about a user and that user's authentication information; it is used to identify the user's session across all sites in a single sign-on SiteMinder environment. Session tickets are encrypted and can only be read/validated by the Policy Server. SiteMinder Web Agents use session tickets to identify users and provide session information to the Policy Server.
The session ticket is handled differently depending upon whether the session is persistent or non-persistent.
The Web Agent places the session ticket in a cookie. The cookie contains the user session data; no user-specific data is kept in the cookie itself. The Web Agent is responsible for validating the cookie and enforcing session timeouts.
The Web Agent places the session ticket in a session server database and, if possible, in an optional cookie on the client. The session ticket data, whether retrieved from a cookie or the session server database, is used as an index into the Web Agent's cache, which contains the user session data. If a cookie is written, no user-specific data is kept in the cookie itself. The Web Agent is responsible for validating the session and enforcing the session timeouts.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |