When running a Web Agent and when user XXXYYY accesses a resource,
then its session gets later used to user AAABBB.
Policy Server 12.8SP3 on RedHat 7
To prevent SMSESSION to be cached in proxies, the ExpireForProxy and
ProxyTrust will help as stated in the documentation (1).
Read carefully the documentation as other parameters are needed to be
set along with these.
Further, as you have F5 loadbalancer, you might investigate the
stickiness feature (2).
If possbile, to prevent more than 1 IP to use it, you need to
implement IP check for the cookie (3)(4).
(1)
Configure Agents that Sit behind Proxy Servers
Customize the Cache-Control and ExpireForProxy Header Settings
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/advanced-configuration-settings/agents-and-proxy-servers.html#concept.dita_0ddef1973865831c1b3ef9847bed8ae11901af59_CustomizetheCacheControlandExpireForProxyHeaderSettings
(2)
Persistence
Persistence otherwise known as stickiness is a technique implemented
by ADCs to ensure requests from a single user are always distributed
to the server on which they started.
[...]
The concept of cookie-based persistence has since been applied to
application sessions, using session ID information generated by web
and application servers to ensure that user requests are always
directed to the same server during the same session.
[...]
https://www.f5.com/services/resources/white-papers/cookies-sessions-and-persistence
(3)
Verify IP Addresses
Compare IP Addresses to Prevent Security Breaches
The IP checking feature requires agent to compare the IP address
stored in a cookie from the last request against the IP address
contained in the current request. If the IP addresses do not match,
the agent rejects the request.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/user-protection/verify-ip-addresses.html
(4)
Configure IP Address Validation
Specifies an HTTP header for which the agent searches to find the IP
address of the requestor. If no value is specified for this parameter,
the default is an empty string. No maximum length is enforced and the
value can be any string that contains a valid HTTP header value.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product.html