LogOffURI not Working as Expected
search cancel

LogOffURI not Working as Expected


Article ID: 204425


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER


User is accessing protected resource, logging out, hitting browser's back button and receiving the protected resource again.  From this point, user can navigate to protected resources that were not accessed prior to the logout, so it seems as though the logout was not successful.


Release : 12.52



Two factors were in play here.  The logout was successfully invalidating the user's session cookie, but upon clicking the back button, the IE browser was loading the page from its cache with no new requests hitting the agent or web server.  When accessing new protected resources from this point, however, the IE browser was presenting a valid session cookie that had never been set by the web agent during the session.  This cookie is likely coming from some customization the customer has in place that leverages the Auth/Az Web Service and thus can obtain a session cookie without the web agent involvement.


The issue could not be reproduced after clearing IE cache and restarting. IE will always display the content upon hitting the back button because the page is in the IE memory cache at that point. There is no way to refresh the page (pull new data from the server) without re-authenticating or a valid session cookie otherwise being inserted into the browser.

Additional Information

If session replay after logout is a concern, use persistent sessions.  With persistent sessions, the session information is stored centrally in the session store so that when a user logs out, the session is removed from the session store such that even if a user presents a 'valid' session cookie from before the logout, the policy server will see no matching session in the session store and the user will not be considered authenticated.