Agent Guides › Web Agent Guide › Single Sign-On (SSO) › How to Configure Single Sign-On › Store Session Cookies on the Session Server for Improved Security

Store Session Cookies on the Session Server for Improved Security

You can increase the security of your environment by having SiteMinder create session cookies that are stored in the SiteMinder session server instead of on the client computer belonging to the end user. Storing session cookies in the SiteMinder session server prevents anyone with access to the following items from copying a session cookie from a client computer and then re-using it:

• Web server logs
• SiteMinder Web Agent logs
• Potentially compromised proxy servers sitting between domains (in the case of cross-domain single sign on)

You can control where SiteMinder stores its session cookies by setting the following parameter:

StoreSessioninServer

Specifies whether session cookies are stored on the client computer, or in the SiteMinder session server. When the value of the StoreSessioninServer parameter is yes, a session cookie is created and stored on the session server. Cookie providers and Web Agents access the cookie from the session server.

Cookie providers and Web Agents replace the session cookie in a URL with a GUID that corresponds to the session cookie stored on the session server.

When the value of the StoreSessioninServer parameter is no, the session cookie is passed directly in the URL

Default: No

To store session cookies on the session server for improved security

1. Ensure your environment meets the following conditions:
   • Upgrade your Web Agents and cookie providers to use SiteMinder 6.0 SP5 QMR1 or higher.
   • Use a value for the DefaultAgentName parameter in the Web Agents and cookie provider.
   • Your Policy Server is configured with a valid session store.
2. In your Web Agents and cookie provider, set the value of the StoreSessioninServer parameter to yes.