Access Manager cluster cookie sending same value twice in different cookie names

  • 7004089
  • 04-Aug-2009
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Support Pack 1 applied

Situation

Access Manager setup with multiple Identity (IDP) servers and multiple Access Gateway (LAG) proxy servers in corresponding IDP and LAG clusters. With clustered Access Manager 3.0 and 3.1 setups, the IDP server and embedded service provider (ESP) component of the LAG would set cluster cookies on the browser upon initial access to that IDP/LAG ESP device. The set cookie header would look as follows:

Set-Cookie: urn:novell:nidp:cluster:member:id=~03~0Bslo~0A~0B~14mop~0C~09; Path=/nidp (or /nesp on LAG ESP)

The cookie value included an obfuscated version of the IP address of the IDP (in example above) device initially accessed. When a load balancer sent the browser request to another IDP device in the same cluster, that IDP server would process the cookie, extract the IP address, and proxy the request to the IP address of the IDP server the user initially accessed.

With Access Manager 3.1 Support Pack 1, we now set two cookies:

Set-Cookie: UrnNovellNidpClusterMemberId=~03~0Bslo~0A~0B~14mop~0C~09; Path=/nidp
Set-Cookie: urn:novell:nidp:cluster:member:id=~03~0Bslo~0A~0B~14mop~0C~09; Path=/nidp

Both cookies include the same information.

Resolution

The cookie specifications stimpulate that the colon ':' character cannot be used in a cookie, so they were removed in the latest IDP/ESP builds. For backward compatibility however, where older and newer versions of IDP/ESP servers existed in the same cluster, it was decided that we would continue to set the two types of cookies. This solution will not impact functionality or performance.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.