Failed to Decode SMSESSION Cookie

The users of a Siteminder protected website report they are being redirected to the Siteminder login pages. If you check the web server’s Siteminder Agent log you find the following message logged: “Failed to decode SMSESSION cookie”. Logged directly after that is a messaging the the user was redirected to the login address.

Solution: Failed to Decode SMSESSION Cookie

Failed to Decode SMSESSION CookieThe SMSESSION is a cookie that Siteminder creates on the client’s device during login. The SMSESSION stores the Users’s ID, the Authenticating Directory ID, and various Siteminder information.

This type of message in general means that the Siteminder Web Agent running on the web server can not decode and use the SMSESSION Cookie that the client’s browser is providing. Since the SMSESSION Cookie can not be used to validate the client’s identity the Siteminder Agent is redirecting the client to the login page to reauthenticate and create a new SMSESSION Cookie.

There are three likely causes for “Failed to Decode SMSESSION Cookie”

  • The system time is out of sync on the Web Server and the Siteminder Policy server. Check the time on both servers, if there’s a difference of 60 seconds or more, sync them with a time provider.
  • SMSESSION Cookie is expired. When this happens you will see a message in the trace log indicating that the cookie is expired. In many situations it is normal for the SMSESSION to expire. This error can  happen when the application explicitly expires the SMSESSION cookie. To confirm you need to capture the whole session in a tool like Fiddler and see if the SMSESSION cookie is being expired by the application.
  • The Siteminder Web Agent is not getting updated keys from the Siteminder Policy Server. The Web Agent Server is not pulling down keys correctly. You should see evidence of this in the Agent Log File. To resolve this rerun smreghost to re-register the Web Agent. This restarts communications with the policy server. After running smreghost copy the new SMHost.conf to the config directory. Restart IIS or Apache and kill the existing llawp.exe.

 

My name is Edgar Frost, I have 40 years of experience working in Information Technology. Starting with the mainframe, and also working with distributed technologies, LDAP, and Siteminder. My goal is to bring an Enterprise mindset to technology.
We will be happy to hear your thoughts

      Leave a reply