User Identity and Activity Tracking and URL Monitoring

This content provides information about Web Agent user tracking and URL monitoring.
sm1252sp1
This content provides information about Web Agent user tracking and URL monitoring.
Track User Identity Across Anonymous Realms
When an anonymous user accesses resources, that user is assigned an SMIDENTITY (anonymous) cookie. An anonymous resource is a resource in a realm that does not require the user to present credentials. If the user moves to another domain, is challened and logs in successfully, the user is then assigned an SMSESSION cookie.
A user might accesses protected and anonymous resources in a domain that contains SMIDENTITY  and SMSESSION cookies. For resources protected by Web Agents starting at 5.x QMR 3 , the Web Agent uses the SMSESSION cookie to identify the user, not the SMIDENTITY cookie.
If the user goes from a upgraded domain to a domain where older Agents use the SMIDENTITY cookie to identify the user, the cookie used depends on the version of the Web Agent handling the request.
To configure an agent to use the SMSESSION cookie where available or force it to use the SMIDENTITY cookie, set the following agent parameter:
UseSessionForAnonymous
This parameter specifies whether an agent uses the session from an available SMSESSION cookie when accessing a resource protected by anonymous authentication. If set to No, only the SMIDENTITY cookie is used.
Default
: Yes
When a master cookie domain contains protected resources and a second domain contains anonymous resources, a user who does the following tasks is treated as an anonymous user in the anonymous domain:
  1. The user accesses the anonymous domain first.
  2. Moves to the master domain and logs in.
  3. Moves back to the anonymous domain.
Track User Activities or Application Usage with Auditing
Use the Web Agent auditing feature to measure how often applications on your web site are used, or track user activities with auditing.
Auditing is controlled with the following ACO parameter:
EnableAuditing
The EnableAuditing parameter specifies whether the Web Agent logs all successful authorizations that are stored in the user session cache. When enabled, user authorizations are logged even when the Web Agent uses information from its cache instead of contacting the Policy Server. Web Agents log user names and access information in native web server log files when users access resources.
To track user activity or application usage with auditing, set the value of this parameter to
Yes
. The default is No. 
 If you do not enable auditing, the Web Agent only audits authentications and first-time authorizations.
If the Web Agent cannot successfully send an audit message to the Policy Server for an authorization, access to the resource is denied. To view the output of the auditing feature, you can run a report from the Administrative UI. The reports from the Policy Server show user activity for each session.
Web Agents automatically log user names and access information in native Web Server log files when users access resources. The audit log contains a unique transaction ID that the Web Agent generates automatically for each successful user authorization request. The Agent also adds this ID to the HTTP header when the Policy Server authorizes a user to access a resource. The transaction ID is then available to all applications on the web server. The transaction ID is also recorded in the Web Server audit logs. Using this ID, you can compare the logs and can follow the user activity for a given application.
Enable User Tracking
The SMIDENTITY cookie captures the user tracking information. You can enable or disable user tracking using the Administrative UI.
You cannot turn off the SMIDENTITY cookie for a specific agent or Policy. You can turn the cookie on or off only for the entire Policy Server.
Follow these steps:
  1. Log in to the Administrative UI.
  2. Click Administration, Policy Server, Global Tools.
  3. Select Enable User Tracking.
  4. Click Submit.
URL Monitoring
The Web Agent can prevent attacks by malicious users who try to halt normal operation of a web site or circumvent the site security mechanisms to gain illegal access to information.
The Web Agent monitors URLs in resource requests and enforces the security policies for these resources. Web Agents interpret and parse URLs differently from the web servers where the resources reside. These differences can result in subtle performance and security issues that potentially allow unauthorized users to gain access to resources. Consider these issues in the design of your web site and the configuration of the Web Agent.