Use of the same session key over different transports

You can configure WebSEAL to use the same session, or not, when a client authenticates over one type of transport (HTTP, for example), establishes a session, and then connects over another type of transport (HTTPS, for example).

The use-same-session stanza entry, located in the [session] stanza of the WebSEAL configuration file, provides the following two choices:

  • No

    When a client authenticates over one transport, establishes a session, and then connects over another transport, the client must authenticate again. A separate session is created using a second session key. The two sessions are maintained independently in the WebSEAL session cache. The appropriate session key used for future connections is determined by the transport that the client uses.

    [session]
    use-same-session = no
  • Yes

    When a client authenticates over one transport, establishes a session, and then connects over another transport, the client uses the same session and corresponding session key that was created for the first transport. The client is not required to authenticate a second time.

    [session]
    use-same-session = yes

A "yes" configuration setting for this stanza entry results in the following conditions:

  • The HTTP header is used to maintain sessions for clients accessing with HTTP headers over all transport types.
  • The IP address is used to maintain sessions for clients accessing with IP addresses.
  • Session cookies are used to maintain sessions for all other authentication methods.
  • The ssl-id-sessions configuration is ignored; the resulting behavior is the same as if ssl-id-sessions were set to “no”.

    This logic is important because HTTP clients do not have an SSL session ID available as session data.

  • Because the cookies are available to both HTTP and HTTPS clients, they are not flagged with the "secure" cookie attribute.

See Valid session key data types.