3.5 Cookie Mangling

When you log out of Access Manager, the Access Manager session cookie is invalidated on all Identity Servers and Access Gateway servers. However, the application session cookie is left unchanged on the browser and on the origin web server. If a different user authenticates to Access Manager on the same browser and accesses the proxy web server, the browser might resume the previously established HTTP session with the web server. The new user inherits the old logged out user’s session. The Cookie Mangling feature in Access Gateway prevents this scenario by manipulating the application cookies set by web servers, and invalidating these cookies when a user logs out of Access Manager.

Access Manager provides the following advanced options to use this functionality:

For information about how to set these options, see Access Gateway Advanced Options.

NAGHostOptions mangleCookies

To enable cookie mangling, add the options NAGHostOptions mangleCookies=on and NAGWSMangleCookiePrefix <AnyString> in the Global Advanced Option.

By default, NAGHostOptions mangleCookies is disabled.

NAGWSMangleCookiePrefix

Use the NAGWSMangleCookiePrefix <AnyString> option to specify the string added to the application cookie after manipulation. You can replace <AnyString> with a string of your choice.

For example, adding the NAGWSMangleCookiePrefix AGMANGLE results in the Set-Cookie: AGMANGLEa50b_DzkN=5a8G0 application level cookie set in the browser.

NAGWSMangleCookieDomainPath

Access Gateway cannot clean the mangled cookies in the following scenarios:

Over a period, a huge number of mangled cookies might get accumulated on the browser. As a result, Access Gateway might fail to process the new requests.

To avoid this issue, set this option to configure additional domain names and paths that Access Gateway will use while cleaning mangled cookies.

Use cases: