Logout is not clearing session from Policy server

book

Article ID: 205694

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

When we logout from any siteminder protected application, session is just getting cleared off from browser bot webagent is not sending any notification to clear off or invalidate session in policy server.

This is happening for all applications as below:
1) CA Identity Minder - 14.2
2) CA Service Desk
3) Sharepoint application.

4) Siteminder AdminUi.

Session is taken by Cookie Editor, and when after logout, we import cookie for new browser and hit link of any SM protected application. Siteminder is allowing us to login to application.

Environment

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

This is an expected behaviour, 

The web server cannot differentiate who you are so the cookie is used for session management,
like SiteMinder as a product, we use a cookie for the session management, as long as a valid cookie is submitted, you should have access

But if we again submit the previous cookie (given it has not exceeded idletimeout) then you should have access again, 

you also need to set validation period on that realm to ensure the session in the session store is kept alive and updated.

when you logout, the session record in the session store gets removed
when the user submits a session cookie that user already logged out, the session would not be found in the session store
so the user should be rejected

BUT
between the session validation period, agent can service requests via session cache
and if the session cache has not been flushed for that user session then the user still can get access

user can only access previously accessed resource as that is in the session cache, 
accessing other realm will trigger validation and will not find the session in the session store and reject the user

So, this period where the agent will service request from its session cache while the session record in the session store is removed is called "Session Drift" period

so this is an expected behaviour , in case if you want to get rid of this, you need to have validation period to be short or turn off the session cache