When logging out from any SiteMinder-protected application, the session is just getting cleared off from the browser but the webagent is not sending any notification to clear off or invalidate the session in the Policy Server.
This is happening for all applications as below:
The Session is taken by Cookie Editor, and after the logout, when importing the cookie for the new browser and hitting the link of any SiteMinder-protected application. SiteMinder is allowing the user to access the application.
This is an expected behavior.
The Web Server cannot differentiate the person using the browser, so as the cookie is used for session management, as long as a valid cookie is submitted, access should be granted.
As well, if the user again submits the previous cookie (given it has not exceeded idle timeout) then it will have access again.
Set the Validation Period on the application's Realm to ensure the session in the Session Store is kept alive and updated (1).
When logging out, the session data from the Session Store will be removed.
That way, when the user submits a Session cookie that the user already logged out, the session would not be found in the Session Store, so the user's session should be rejected and the browser won't get granted to access the resource.
But, between the Session Validation Period, the Web Agent can service requests via its Session Cache and if the Session Cache has not been flushed for that user, the Session then the user still can get access (1).
The user can only access previously accessed resources as that is in the Session Cache, accessing other Realms will trigger validation and will not find the session in the Session Store and reject the user access.
So, this period where the Web Agent will service request from its Session Cache while the session record in the Session Store is removed is called the "Session Drift" period, configurable by the Validation Period in persistent Realm (2).
Set the Validation Period to be short or turn off the Session Cache to get rid of this.