000021131 - WAX status handler for session expiration in RSA ClearTrust doesn't allow reauthentication

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021131
Applies ToRSA ClearTrust Web Agent Extension (WAX) API
Sun Solaris 2.8
IssueWAX status handler for session expiration in RSA ClearTrust doesn't allow reauthentication
A WAX implementation consisting of a custom status handler based on the standard sample (redirect.c) correctly redirects a browser to a custom error page upon CT_SESSION_EXPIRED status, but then does not allow the user to get to the original target URI after resupplying credentials. The user is always redirected back to the error page for the CT_SESSION_EXPIRED status.
CauseCT_SESSION_EXPIRED is different from other error statuses in that other error statuses reflect authentication failure states. Session expiration is checked in the Session Phase Handler, which occurs prior to the Authentication Phase Handler. If a session is expired, the custom status handler ends processing, so Authentication Phase Handler processing never occurs.
ResolutionTo correct this issue, modify the custom status handler to add the original target URI into the CT_USER_DATA field, and set the WAX status to CT_CREATE_COOKIE to continue processing in the Cookie Phase Handler. This will write the modified cookie containing the CT_USER_DATA.

In the 2nd WAX iteration, a custom Session Phase Handler checks to see if CT_USER_DATA is populated. If so, the Session Phase Handler directs processing to continue normally, and the default status handler forces redirection to the ct_logon page for reauthentication.
Legacy Article IDa21126