(v12.0.8874.35714 started 2024-04-18 18:00:37 on VM2)
Cookie Handling
Logon with OTP, TOTP, OAuth 2.0 and RADIUS uses cookies to store the session context (sessionID). A list of session IDs is shown here. The default name of the cookie is "appgwsessionid-" with the UID of the routing entry appended. That means that for each routing entry a separate logon is necessary. In case you like to have only one logon for a group of routing entries the cookie name must be defined via keyword CKGRP so that these entries use the same cookie. CKGRP:cookiegroup ... cookiegroup is a string that is appended to the cookie instead of the UID. This grouping will work only if these routing entries will be accessed by the client using the same DNS name because the client sends cookies based on the destination name.
A domain name can be added to the cookiegroup so that the cookie is valid for the specified domain: CKGRP:cookiegroup$domain ... e.g. CKGRP:G1$mycomp.com. In this case the computername will be included in the name of the cookie in order not to interfere with other computers of the same domain. One ApplicGate instance can share cookies even if the routing entries are accessed via different host names of the same domain. Different ApplicGate instances on the same computer must use different cookiegroups if they are addressed via the same host name.
Note: If a client is logged on and the source address changes it will be updated automatically in the SessionID entry. The timeout period of the SessionID will be set to the maximum TTL of any session in the group. Except if there is any logon session in the group, then the TTL value of the logon session will be used (default: 3 minutes).
Usage of CKGRP only: If for a routing entry the keyword CKGRP is specified but the keywords OTPR and OA2 are missing, there must be a matching cookie from another session in order to connect successfully. For example there is one routing entry with GatewayIP2=logon with OTPR and/or OA2 and several other entries with the same cookiegroup but without OTPR and without OA2. Then these entries can be accessed (without additional authentication) only if the logon session is active.
Note for certificate logon: Logon with certificates does not use any cookies but a SessionID is stored. Source IP, email, issuer and UID identify a session. Therefore if the source IP changes a new SessionID will be created.
