We're running an IDM Server and when user click on logout, the session

cookies JSESSIONID and SMSESSIONID are removed from the browser. But

if the user took a copy on his PC of theses cookies, then if it set

them back in the browser memory, the user is still able to acces the

resource.

The cookies are correctly invalidated and cleared from browser, when

clicking LogOut, but by replaying the request with the original

sessions, then it is still possible to access the ressources.

How can we make that the SMSESSION cookie cannot be reused ?

  IdM 12.6.8;

  Policy Server 12.8SP2;

At first glance, for the SiteMinder to remove the session when running

Session Store, you need to make your Realms as persistent. This will

force Policy Server to write the sessionspec data from the SMSESSION

cookie, and once you have configured the "Comprehensive Log Out", then

as mentioned in this documentation page, the Web Agent will "calls the

Policy Server and instructs the Policy Server to remove any session

information. The user is completely logged off."

Non-Persistent and Persistent Sessions

  CA Single Sign-On also provides the ability to configure a persistent

  session. A persistent session is one in which a session is maintained

  in the session store.

  Before you implement persistent sessions, consider the following:

  Persistent sessions are enabled when you configure a realm.

  Persistent sessions should only be used where necessary. Using

  session services to maintain sessions has an impact on system

  performance.

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/user-sessions

Comprehensive Log Out

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/web-agent-configuration/comprehensive-log-out

You should note that if the resources are federated, you need also to

configure the SAML Log Out (SLO).

  SLO (SAML 2.0 IdP)

  https://docops.ca.com/ca-single-sign-on/12-8/en/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp

other documentations related to cookie and session termination :

  Logout not working.

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=54981

  What information do we need to set up the Logout URL in any SSO Enabled Environment?

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=11527

  Federation Single Logout Does Not Work

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=41055

  Single Sign On Siteminder - Logout Issue

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=130295

  The logout page does not seem to work, after the user logs out they can go back and still access their data.

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=51245