Site Navigation

Categories

Related Posts

Versa Client Monitoring Latentcy

I want to ask does Versa SASE have a fea..
Read More

MAC OS support EIP on Versa Client

Hi All when are we going to support EIP ..
Read More

Threat Research Team

Hi AllDoes Versa has any internal Threat..
Read More

cookie expired error with SSE GW connection

fun4net
fun4net
in SSE

Hi Community,

Do you know under what conditions we see “Cookie expired” or “Invalid cookie” in the gateway logs when a client attempts to connect to the gateway?

Comments

  • Maksym
    Maksym

    Hi fun4net,

    It is cookie‑based credential caching between SASE client and SASE Gateway. This allows the client to maintain or re-connect the tunnel transparently to end user, but forces a re‑authentication for end user (provide user credentials to establish the tunnel) when the cookie expires. Instead of relying on cached passwords (legacy method), Versa Portal/Gateway Authentication Profile use Cookie-Based caching.

    Once cookie has been expired since last successful authentication of the user, user is challenged with configured authentication method in order to connect to SASE Gateway. If cookie is valid then user can connect to the same Gateway without authentication challenge. In other words, SASE client during cookie lifetime will bypass selected authentication method to provide better user experience .

    Cookie timer can be configured in Concerto / Director under user authentication profile. Default value is set to 720 minutes and it is an absolute value. When it expires user is forced to make re-authentication with configured authentication method in authentication profile.

    Important to highlight, with SSO authentication once cookie is expired, then for the user re-authentication can be transparent if authentication lifetime on IDP is higher than cookie timer. Gateway will make re-authentication challenge with IDP transparently for end user and cookie between SASE Client and SASE Gateway will be updated. On the other side, if SSO lifetime on IDP side is shorter than configured Cookie Expiry Time, re-authentication challenge after cookie is expired will require user to authenticate on IDP with configured method, while during the time the cookie is valid, user still can connect to the Gateway transparently even if it's session lifetime is expired on IDP portal. So it brings more flexibility to design the authentication policies especially with SSO use case.

    Lastly, error “Cookie expired” or “Invalid cookie” on the Gateway logs doesn't mean by itself that something is not working. It just indicates that SASE client had an attempt to connect to the Gateway using its cookie‑based credentials, but cookie is expired, so authentication challenge will happen next based on authentication method configured in authentication profile. Invalid cookie error might be because SASE client tried to re-connect to a different Gateway, as cookie is valid only during its lifetime and only with Gateway where initial authentication happened. Again, invalid cookie doesn't indicate something is not working, rather it logs that authentication challenge will be triggered when user tries to connect.

    Hope it helps!

Sign In or Register to comment.
/* */