You are viewing limited content. For full access, please sign in.

Question

Question

Websts Cookie Protection Configuration

Directory Server Version 12
Updated September 25
asked on August 21

Good afternoon, 

I've reviewed available documentation and I'm not finding much regarding the WebSTS version 12 Cookie Protection configuration requirements.

We have a scenario where we have a WebSTS (STS1) on a LFWeb server where components like Forms and Web Client are installed and a WebSTS (STS2) on a LFApp server where components like LFDS and LFS are installed. 
 

Originally we configured the STS1 and STS2 endpoint utilities with the Cookie Protection>Cookie Handler configured to "Encrypt for multiple STS instances". What we are finding is with them configured this way when users attempt to sign into the web components they are redirected back to the sign in page. If the Cookie Protection>Cookie handler configured to "No Encryption" or "Encrypt for Single STS instance", sign in work as expected redirecting to the laserfiche repository.

It's my understanding that when multiple STS instances is configured, a shared key for encrypting cookies would be used. Set to a single STS instance, it uses it's own key. But I'm not finding much on how this key is shared, if there is any additional comms that needs to be open between STS1 and STS2 for this configurations, etc. 

Hoping someone here may be able to provide some guidance!

4 0

Replies

replied on September 25

"Multiple instances" only means deploy STS in Web Farms (where a cookie written by an instance might be read by other instances), in your environment, those two STS are isolated, they didn't share cookies. Except that you have changed the host of cookie to something like "*.domainname.com".

So "Encrypt for Single STS instance" should be the option you should use.

 

Without special configurations, if user already logins application that guard by STS1, when she accesses application that guarded by STS2, she will be promoted to login at STS2 again, and she can provide another credential that different with STS1.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...