search cancel

Session not destroyed at server-side

book

Article ID: 134520

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

We're running an IDM Server and when user click on logout, the session

cookies JSESSIONID and SMSESSIONID are removed from the browser. But

if the user took a copy on his PC of theses cookies, then if it set

them back in the browser memory, the user is still able to acces the

resource.


The cookies are correctly invalidated and cleared from browser, when

clicking LogOut, but by replaying the request with the original

sessions, then it is still possible to access the ressources.


How can we make that the SMSESSION cookie cannot be reused ?


Environment

  IdM 12.6.8;

  Policy Server 12.8SP2;


Resolution

At first glance, for the SiteMinder to remove the session when running

Session Store, you need to make your Realms as persistent. This will

force Policy Server to write the sessionspec data from the SMSESSION

cookie, and once you have configured the "Comprehensive Log Out", then

as mentioned in this documentation page, the Web Agent will "calls the

Policy Server and instructs the Policy Server to remove any session

information. The user is completely logged off."


Non-Persistent and Persistent Sessions


  CA Single Sign-On also provides the ability to configure a persistent

  session. A persistent session is one in which a session is maintained

  in the session store.


  Before you implement persistent sessions, consider the following:


  Persistent sessions are enabled when you configure a realm.


  Persistent sessions should only be used where necessary. Using

  session services to maintain sessions has an impact on system

  performance.


https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/user-sessions


Comprehensive Log Out

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/web-agent-configuration/comprehensive-log-out


You should note that if the resources are federated, you need also to

configure the SAML Log Out (SLO).


  SLO (SAML 2.0 IdP)

  https://docops.ca.com/ca-single-sign-on/12-8/en/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp


other documentations related to cookie and session termination :


  Logout not working.

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=54981


  What information do we need to set up the Logout URL in any SSO Enabled Environment?

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=11527


  Federation Single Logout Does Not Work

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=41055


  Single Sign On Siteminder - Logout Issue

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=130295


  The logout page does not seem to work, after the user logs out they can go back and still access their data.

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=51245