When using a Siteminder web agent with Comprehensive Log Out configured, after a user clicks the logout button, the session token (cookie) can be reused/replayed or the protected resource can be accessed after the logout is complete.

Release : 12.8.x

Web Agents cache user sessions to reduce load on the policy servers. Until the agent's session cache expires, a user session that has been logged out can still be used with the agent.

The agent will query the policy server to validate the session based on the session validation period if persistent sessions are being used.

1. If you are using Persistent Sessions, decrease the time a logged off user session remains in cache.
   
   With persistent sessions configured, you can reduce the session validation period to increase how often the agent checks to make sure the session is still valid.
   
        (NOTE: Persistent sessions require a session store be configured to store user session information)
   
        (NOTE: You can reduce this value down to 1 second but this will increase the amount of traffic between the agents and the policy server and the policy server and session store)
   
   
2. Configure user's session cache to be cleared on logout.
   
   Registry key to enable flush user session cache:
   
   List of Policy Server Registry Keys
   
        EnableFlushUserCmdOnLogout
   
   EnableFlushUserCmdOnLogout (LDAP and ODBC) - Specifies whether users are flushed from the session store cache on logout. Enter 1 to enable the parameter or 0 to disable the parameter. If this registry key is not added, the users are not flushed.
   
   
3. An alternate method to ensure sessions are removed promptly is to disable the Web Agent Cache by setting MaxSessionCacheSize to 0. 

(NOTE: The web agent cache is used to reduce the load on the Policy Servers and disabling the cache will significantly increase the load on the policy servers and session stores, for that reason it is not recommended)

In addition to these configuration options, there are security methods to ensure that logged out sessions are not reused by an unauthorized party:

• IP checking
  
  To prevent a breach of security by an unauthorized system, you can enable or disable IP checking.
  
  Verify IP Addresses
  
  
• Device DNA
  
  The Enhanced Session Assurance feature prevents session hijacking and replay. When you log in, a DeviceDNA™ verification is performed to fingerprint the end-user device. The device is fingerprinted every five minutes by default. The verification compares the new fingerprint against the original fingerprint that was taken during login.
  
  Enhanced Session Assurance with DeviceDNA™
  
  Configure Enhanced Session Assurance with DeviceDNA™