Use of the same session key over different transports

We can configure WebSEAL to use the same session, or not, when a client authenticates over one type of transport (HTTP, for example), establishes a session, and then connects over another type of transport (HTTPS, for example).

The use-same-session stanza entry, located in the [session] stanza of the WebSEAL configuration file, provides the following two choices:

• No

  When a client authenticates over one transport, establishes a session, and then connects over another transport, the client must authenticate again. A separate session is created using a second session key. The two sessions are maintained independently in the WebSEAL session cache. The appropriate session key used for future connections is determined by the transport the client uses.

  [session]
  use-same-session = no

• Yes

  When a client authenticates over one transport, establishes a session, and then connects over another transport, the client uses the same session and corresponding session key created for the first transport. The client is not required to authenticate a second time.

  [session]
  use-same-session = yes

A "yes" configuration setting for this stanza entry results in the following conditions:

• The HTTP header is used to maintain sessions for clients accessing with HTTP headers over all transport types.
• The IP address is used to maintain sessions for clients accessing with IP addresses.
• Session cookies are used to maintain sessions for all other authentication methods.
• The ssl-id-sessions configuration is ignored; the resulting behavior is the same as if ssl-id-sessions were set to “no”.

  This logic is important because HTTP clients do not have an SSL session ID available as session data.

• Because the cookies are available to both HTTP and HTTPS clients, they are not flagged with the "secure" cookie attribute.

See Valid session key data types.

Parent topic: Maintain session state in non-clustered environments