Control on session state information over SSL

The ssl-id-sessions stanza entry, located in the [session] stanza of the WebSEAL configuration file, allows us to control whether the SSL session ID or another session key data type is used to maintain the login session for clients accessing over HTTPS.

If the stanza entry value is set to "yes", the SSL session ID is used for all authentication methods. For example:

[session]
ssl-id-sessions = yes

If the stanza entry value is set to "no" (default), session cookies are used for most authentication methods. For example:

[session]
ssl-id-sessions = no

A configuration setting of "no" for this stanza entry results in the following conditions for clients accessing over HTTPS:

• The SSL session ID is never used to maintain session state.
• The HTTP header is used as session ID data for clients authenticating with HTTP headers.
• The IP address is used as session ID data for clients authenticating with IP addresses.
• Cookies is used to maintain sessions with clients authenticating with all other methods.

See Valid session key data types.

Parent topic: Maintain session state in non-clustered environments