How can someone reuse an SMSESSION cookie after Logout ?

A user could steal an SMSESSION cookie and replay it for future requests in another browser or the same browser until the session expires.

The Session expiration is located inside the cookie itself and when a Web Agent decodes it, it will verify for the Session Timeout

(Max/Idle) directly from the session, and will not validate it against the Policy Server by default.

The scenario above is not expected, as nobody should steal an SMSESSION cookie in a secure network.

Administrator can use the following solutions for this issue :

1. Implement Enhanced Session Assurance with DeviceDNA

Implement Enhanced Session Assurance with DeviceDNA

2. Use Persistent session/realms with a short Session Validation Period

For persistent sessions only, admin can specify the time period that the Web Agent caches the result of a session validation call to the Policy Server.

Session validation calls perform two functions: informing the Policy Server that a user is still active and checking that the user session is still valid.

After a Logoff, the session is removed from the Session store, so if a user attempt to replay a SMSESSION cookie after the validation Period, the Web Agent will contact the Policy Server, find that the session is invalid and reject the user session.

3. Enable TransientIPCheck so the agent can compare the IP address stored in a transient cookie from the last request against the IP address contained in the current request. See Compare IP Addresses to Prevent Security Breaches. See Compare IP Addresses to Prevent Security Breaches.