Configuring the authentication and access module for cookieless operation

To allow the Authentication and access module to function in like an API, use of a client side cookie can be avoided with an advanced configuration option.

Before you begin

Configure the appliance to use Authentication-based and Content-based access with one of the following methods:
  • Use the internal High Volume Database (HVDB)
  • Set up an external HVDB
  • Set up a Distributed Session Cache (DSC)

About this task

When the cookieless operation is enabled, several configuration options are available to suit a range of deployment configurations and use cases.

In a high availability or clustered environments it is recommended that session affinity is enforced for a sufficient period of time to allow session replication between nodes. The length of time that sticky session is enforced depends on the deployment.

During normal operation a jsession cookie is still returned. However if this sessions cookie is returned in subsequent requests, it is ignored by the authentication service.

Note: This configuration option only removes the reliance on session cookies for the authentication service (/sps/authsvc and /spsapiauthsvc) endpoints. Users still require a webseal session cookie to maintain state.

Configure the Authentication-based and Content-based access module to not rely on client side cookies to store authentication information.

Administrators can choose to store this information in either the DSC, Memory, or the HVDB, depending on deployment requirements.

Procedure

  1. In the local management interface, click Secure Access Control > Advanced Configuration.
  2. To enable cookies operation, toggle the authsvc.stateMgmt.cookieless key to Enabled.
  3. Select session store by using the authsvc.stateMgmt.store key (either DSC for the Distributed Session Cache, HVDB for the High volume Database or Memory for JVM memory caching):
    • Distributed Session Cache (DSC)
      1. Enable the distributedSessionCache.enabled key.
      2. Set DSC parameters:
        • distributedSessionCache.localCacheEnabled
        • distributedSessionCache.localCacheSize
        • distributedSessionCache.externalServers
    • High Volume Database (HVDB) or Memory
      1. Set the authsvc.stateMgmt.HVDB.cleanupOnlyOnPrimaryMaster for only the removing session by the primary master in clustered environments.
      2. Set authsvc.stateMgmt.HVDB.cleanupThread.batchSize if a maximum cleanup batch size is required
        Note: Setting this parameter as 0 disables this option.
      3. Set authsvc.stateMgmt.HVDB.cleanupWait to control the cleanup thread run frequency.
        Note: Setting this parameter to -1 disables the cleanup thread.
      4. Set authsvc.stateMgmt.HVDB.lifetime for the maximum lifetime of a session in the HVDB.
      5. Set authsvc.stateMgmt.maxSessions to control the maximum number of sessions to cache. When this value is exceeded, IBM Security Access Manager removes the oldest sessions in the case.