Reissue of missing failover cookies

In certain proxied environments, it is possible for a client with a valid session to lose a failover cookie. Such a client can continue to maintain a session with the initial WebSEAL system. However, without the failover cookie, the client cannot failover to a new system.

You can use the reissue-missing-failover-cookie stanza entry in the [failover] stanza of the WebSEAL configuration file to help ensure that a client always has a failover cookie for the duration of the session when failover authentication is enabled. Valid values are “yes” (enable) and “no” (disable).

The failover cookie reissue mechanism is disabled by default. For example:

[failover]
reissue-missing-failover-cookie = no

When reissue-missing-failover-cookie = yes, WebSEAL saves any failover cookie generated for a client in the WebSEAL session cache entry for that client. If previous cookie contents are already stored in the cache entry, they are removed and replaced with the new cookie data.

If the client makes a subsequent request to that WebSEAL server and does not supply the failover cookie in the request, WebSEAL reissues the cached original failover cookie in the response to the client, based on the following conditions:

• The failover cookie reissue mechanism is enabled:

  reissue-missing-failover-cookie = yes

• The client has a valid session.
• Failover authentication is enabled for this client type.
• A failover cookie for this client has been stored in the session cache entry for that client.
• No other mechanism has generated a new failover cookie for this request.

Parent topic: Failover authentication configuration