Failover cookie
WebSEAL supports failover authentication of a user through a failover cookie. The failover cookie can be a server-specific cookie or a domain cookie.
The failover cookie contains encrypted client-specific data, such as:
- User name
- Cookie-creation time stamp
- Original authentication method
- Attribute list
By default, the attribute list contains the user's current authentication level. WebSEAL can be configured to add additional extended attributes to the attribute list. See Failover for non-sticky failover environments for a failover solution that stores the client's session ID as an extended attribute.
The cookie is placed on the browser when the client first connects. If the initial WebSEAL server becomes temporarily unavailable, the cookie is presented to the substitute server.
The replicated WebSEAL servers share a common key that can decrypt the cookie information. When the substitute replica WebSEAL server receives this cookie, it decrypts the cookie, and uses the user name and authentication method to regenerate the client's credential. WebSEAL can also be configured to copy any extended attributes from the cookie to the user credential.
The client can now establish a new session with a replica WebSEAL server without being prompted to log in.
The failover cookie is not a mechanism for maintaining session state. The failover cookie is a mechanism for transparently reauthenticating a user.
We can use the failover-cookie-name entry in the [failover] stanza to configure the name of the failover cookie. By default, WebSEAL uses the name PD-ID for the failover cookie. Failover cookies can be used over either HTTP or HTTPS.
Parent topic: Failover authentication concepts