Logout is not clearing the session from Policy Server
search cancel

Logout is not clearing the session from Policy Server


Article ID: 205694


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



When logging out from any SiteMinder-protected application, the session is just getting cleared off from the browser but the webagent is not sending any notification to clear off or invalidate the session in the Policy Server.

This is happening for all applications as below:

  1. CA Identity Minder - 14.2
  2. CA Service Desk
  3. Sharepoint application.
  4. SiteMinder AdminUI.

The Session is taken by Cookie Editor, and after the logout, when importing the cookie for the new browser and hitting the link of any SiteMinder-protected application. SiteMinder is allowing the user to access the application.




This is an expected behavior.

The Web Server cannot differentiate the person using the browser, so as the cookie is used for session management, as long as a valid cookie is submitted, access should be granted.

As well, if the user again submits the previous cookie (given it has not exceeded idle timeout) then it will have access again.




Set the Validation Period on the application's Realm to ensure the session in the Session Store is kept alive and updated (1).

When logging out, the session data from the Session Store will be removed.

That way, when the user submits a Session cookie that the user already logged out, the session would not be found in the Session Store, so the user's session should be rejected and the browser won't get granted to access the resource.

But, between the Session Validation Period, the Web Agent can service requests via its Session Cache and if the Session Cache has not been flushed for that user, the Session then the user still can get access (1).

The user can only access previously accessed resources as that is in the Session Cache, accessing other Realms will trigger validation and will not find the session in the Session Store and reject the user access.

So, this period where the Web Agent will service request from its Session Cache while the session record in the Session Store is removed is called the "Session Drift" period, configurable by the Validation Period in persistent Realm (2).

Set the Validation Period to be short or turn off the Session Cache to get rid of this.


Additional Information



    Set the Maximum User Session Cache Size


    Realm Dialog-Session Section