Logout is not clearing the session from Policy Server
search cancel

Logout is not clearing the session from Policy Server

book

Article ID: 205694

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When logging out from any SiteMinder-protected application, the session is just getting cleared off from the browser but the webagent is not sending any notification to clear off or invalidate the session in the Policy Server.

This is happening for all applications as below:

  1. CA Identity Minder - 14.2
  2. CA Service Desk
  3. Sharepoint application.
  4. SiteMinder AdminUI.

The Session is taken by Cookie Editor, and after the logout, when importing the cookie for the new browser and hitting the link of any SiteMinder-protected application. SiteMinder is allowing the user to access the application.

 

Cause

 

This is an expected behavior.

The Web Server cannot differentiate the person using the browser, so as the cookie is used for session management, as long as a valid cookie is submitted, access should be granted.

As well, if the user again submits the previous cookie (given it has not exceeded idle timeout) then it will have access again.

 

Resolution

 

Set the Validation Period on the application's Realm to ensure the session in the Session Store is kept alive and updated (1).

When logging out, the session data from the Session Store will be removed.

That way, when the user submits a Session cookie that the user already logged out, the session would not be found in the Session Store, so the user's session should be rejected and the browser won't get granted to access the resource.

But, between the Session Validation Period, the Web Agent can service requests via its Session Cache and if the Session Cache has not been flushed for that user, the Session then the user still can get access (1).

The user can only access previously accessed resources as that is in the Session Cache, accessing other Realms will trigger validation and will not find the session in the Session Store and reject the user access.

So, this period where the Web Agent will service request from its Session Cache while the session record in the Session Store is removed is called the "Session Drift" period, configurable by the Validation Period in persistent Realm (2).

Set the Validation Period to be short or turn off the Session Cache to get rid of this.

 

Additional Information

 

(1)

    Set the Maximum User Session Cache Size
    

(2)

    Realm Dialog-Session Section
    

Powered by Wolken Software