|Applies To||RSA ClearTrust Web Agent Extension (WAX) API|
Sun Solaris 2.8
|Issue||WAX status handler for session expiration in RSA ClearTrust doesn't allow reauthentication|
A WAX implementation consisting of a custom status handler based on the standard sample (redirect.c) correctly redirects a browser to a custom error page upon CT_SESSION_EXPIRED status, but then does not allow the user to get to the original target URI after resupplying credentials. The user is always redirected back to the error page for the CT_SESSION_EXPIRED status.
|Cause||CT_SESSION_EXPIRED is different from other error statuses in that other error statuses reflect authentication failure states. Session expiration is checked in the Session Phase Handler, which occurs prior to the Authentication Phase Handler. If a session is expired, the custom status handler ends processing, so Authentication Phase Handler processing never occurs.|
|Resolution||To correct this issue, modify the custom status handler to add the original target URI into the CT_USER_DATA field, and set the WAX status to CT_CREATE_COOKIE to continue processing in the Cookie Phase Handler. This will write the modified cookie containing the CT_USER_DATA.|
In the 2nd WAX iteration, a custom Session Phase Handler checks to see if CT_USER_DATA is populated. If so, the Session Phase Handler directs processing to continue normally, and the default status handler forces redirection to the ct_logon page for reauthentication.
|Legacy Article ID||a21126|