Configure HTTP headers to maintain session state

To configure HTTP headers to maintain session state, specify the header names in the [session-http-headers] stanza of the WebSEAL configuration file.

Each header is listed on a per-transport basis. The same header can be listed for both transports. Valid transports include "http" and "https". Use the following syntax:

[session-http-headers]
header-name = http|https

For example:

[session-http-headers]
entrust-client = http
entrust-client = https

Conditions for HTTP header session key configuration:

• To allow HTTP headers to be used for maintaining session state, we must set:

  [session]
  ssl-id-sessions = no

• If ssl-id-sessions = yes, the [session-http-headers] stanza is ignored. An exception occurs if MPA support is enabled:

  [mpa]
  mpa = yes

• WebSEAL must be configured to accept only HTTP headers in requests proxied through an authenticated multiplexing proxy agent (MPA). See Setup for requiring requests from an MPA.
• List all headers to be used for maintaining sessions.
• Limit the header list to no more than 20 entries per transport.
• Do not include the colon (:) character in the header names.
• HTTP headers can be enabled and disabled on a per-transport basis.

Process flow for establishing session state with HTTP headers:

• Session cookies always take precedence over HTTP headers for maintaining session state.

  Upon receiving a request, WebSEAL first looks for a session cookie before continuing to look for configured HTTP headers.

  If an incoming request contains a WebSEAL session cookie, WebSEAL does not look for any configured HTTP headers.

• If a request (containing no session cookie) has an HTTP header matching an entry in the [session-http-headers] stanza, that HTTP header is used to maintain session state for that client.
• More than one header can be entered into the [session-http-headers] stanza. WebSEAL stops searching requests when the first matching HTTP header is found, regardless of Whether or not the header is a key to an existing cache entry.

  For example, two headers are configured in the order header A, then header B. A session is established using header B. Header A is for some reason added to a later request from the same client. WebSEAL searches the [session-http-headers] stanza and finds a match with header A. Because the existing entry for that client in the session cache is based on header B, WebSEAL does not find an existing session cache entry and prompts the user to authenticate.

• If no entries exist in the [session-http-headers] stanza, WebSEAL uses session cookies to maintain session state.

• If ssl-id-sessions = no and none of the configured HTTP headers are found in an incoming request, WebSEAL uses session cookies to maintain sessions.

Parent topic: Maintain session state with HTTP headers