Addition of data to a failover cookie

WebSEAL automatically adds specific data from the user session to each failover authentication cookie. WebSEAL can be configured to add additional information from the client data maintained in the credential cache. By default WebSEAL adds the following data to each cookie:

• User name

  Corresponds to the name used to identify the user in the user registry

  When an authenticated user has used the WebSEAL switch user function to obtain the effective identity of another user, the identity of the other user is not added to the cookie. Only the original authenticated user identity is added to the cookie.

• Authentication method

  Method used to authenticate the user to WebSEAL.

• Cookie creation time

  The system time when the cookie was created.

WebSEAL also creates an attribute list containing additional data. By default, the attribute list contains one value:

• Authentication strength level

  An integer value corresponding to the WebSEAL authentication strength level (also an integer value) assigned on the local WebSEAL server to the current authentication method. Authentication strength, also known as step-up authentication, enables a user to authenticate to a different authentication method without having to logout.

WebSEAL defines additional user data that can be added to the cookie attribute list:

• Session lifetime timestamp

  When a user authenticates, WebSEAL tracks the age or lifetime of the user entry in the WebSEAL session cache. The session lifetime timestamp consists of the current time, advanced by the number of seconds configured for the maximum time that a user's session data can remain in the session cache. When the current system time exceeds the timestamp value, WebSEAL invalidates the user's entry in the session cache (including the user credentials).

  WebSEAL can be configured to add the session lifetime timestamp to the cookie. When this timestamp is added to the cookie, the session lifetime timer can be preserved across failover events. WebSEAL administrators can choose Whether or not to reset the client's session timer when the client session is established on a replicated server.

  Note that successful use of this feature is dependent on synchronization of clocks between replicated WebSEAL servers. If clock skew becomes great, sessions can expire at unintended times.

• Session activity timestamp

  The session activity timestamp is a time value placed as an attribute in the failover cookie when it is created at the server that responds to the initial request.

  This timestamp differs from the session inactivity timeout maintained for the WebSEAL session cache. The system activity timestamp for failover cookies is calculated by combining the Current system time with the Maximum time. The timestamp is updated at a frequency determined by the Time interval.

  Current system time

  The current time on the WebSEAL server in the HH:MMformat.

  Example value: 13:30.

  Maximum time

  The number of seconds that a user's session can remain inactive ([session], inactive-timeout).

  Example value: 600

  Time interval

  The number of seconds between updates to the failover authentication cookie ([failover], failover-update-cookie).

  Example value: 300

  The timestamp value in the failover cookie in the preceding example is 13:40. If a future request during this session is failed-over from Server 1 to Server2, Server2 accepts the request only if the time on Server2 is less than 13:40. If the time on Server2 is greater than or equal to 13:40, Server2 rejects the request and prompts the user to login to Server2.

  The setting for the interval between failover cookie updates affects performance. Administrators must choose a balance between optimal performance and absolute accuracy of the timestamp in the cookie. To keep the timestamp most accurate, failover cookies should be updated every time the user makes a request. However, frequent updating of cookie contents incurs overhead and decreases performance.

  Each administrator must choose an interval that best fits the WebSEAL deployment. In some cases, an update of the failover cookie with every user request is appropriate. In other cases, the administrator might choose to never update the timestamp in the failover cookie.

• Additional extended attributes

  Administrators can configure WebSEAL to insert a customized set of attributes into a failover cookie. Attributes can be specified individually or in a group. To specify a group of attributes, use wildcard pattern matching in configuration file entries. This feature is useful in deployments that also use customized authentication modules to insert special attributes into a user credential. By specifying those attributes in the WebSEAL configuration file, the administrator can ensure the attributes are available to add to the recreated user credential during failover authentication.

The maximum size of a failover authentication cookie is 4 kilobytes (4096 bytes)

Configuration instructions in this chapter:

• Add the authentication strength level
• Addition of session lifetime timestamp
• Add the session activity timestamp
• Addition of an interval for updating the activity timestamp
• Addition of extended attributes

Parent topic: Failover authentication concepts