This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sharepoint 2010 WSS_KeepSessionAuthenticated cookie causing Authentication popup

We have published a Sharepoint 2010 website using Sophos UTM 9 / Webserver protection. Part of the website needs authentication, this works fine. And part is anonymous, doesn't require a login to use.

If you go direrctly to the part that is anonymous, it works fine, no login requested.

If you log in to the rest of the website using your A.D credentials, that also works fine. But if you keep your browser session and go back to the anonymous part, a Windows authentication pops up, asking you to log in.

In the logs, I see this:

2018:02:28-14:01:44 name httpd: id="0299" srcip="x.x.x.x" localip="y.y.y.y" size="16" user="-" host="x.x.x.x" method="GET" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="29671" url="/unauthecticatedpart/" server="www.website.com" port="443" query="" referer="-" cookie="ROUTEID.xxxxxxxxxxxxx=.node1; WSS_KeepSessionAuthenticated={e8cc92a6-8109-48d6-ad74-0a32a71469b2}; ROUTEID.cd107d9706d71153bafd4ab15f1c6b5d=.node1" set-cookie="lnymijbm_cookie=058a1edb9824fa239a44b4a03d2c041b2e41fc5a;path=/;httponly;secure, ROUTEID.cd107d9706d71153bafd4ab15f1c6b5d=.node2; path=/; httponly; secure, ROUTEID.41ebd3c2d718e137c9fdc485bfffa481=.node2; path=/sites/ext; httponly; secure, ROUTEID.0756d764893aa07e85f9561a8fd4cb3f=.node2; path=/unauthecticatedpart; httponly; secure" uid="WpaoOKwV@vsAAFYm7O0AAABr"

Which seems to suggest WSS_KeepSessionAuthenticated is the problem.

This post seems to exactly describe our problem:

https://rsa.jiveon.com/docs/DOC-48908:

".... in use cases where the user first access protected content and then subsequently accesses excluded content, the presence of the WSS_KeepSessionAuthenticated  cookie will cause SharePoint 2010 to assume the user is still authenticated, but because there are no credentials will issue a 401 authentication prompt. "

Is there a hotfix in UTM to fix this issue?

Thanks,

Richard.



This thread was automatically locked due to age.
  • I doubt it, Richard, but please share what you learn from Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA