There are use cases where user logout is correctly performed and can be confirmed from logs but user is still able to access certain protected applications.

Generally applies to All SiteMinder versions.

SiteMinder maintains a user's session using a cookie called SMSESSION.

When there are multiple web servers involved and user navigates multiple hostnames, there is a chance where some agents have different configuration relating to the cookie domains  which can result in multiple SMSESSION cookie due to different cookie flags being used.

[Flow]

1. User access "https://www.example.com/protected/" and login.
    This Web Agent has "cookiedomain=.example.com" so SMSESSION cookie is set using "Domain=.example.com" flag.
2. User navigates to "https://application.sub.example.com/protected/" and was able to SSO.
    This Web Agent has "cookiedomain=.sub.example.com" so SMSESSION cookie is set using "Domain=.sub.example.com" flag.

Here the #2 gets "Domain=.example.com" cookie which was generated by #1.
Browser finds the "Domain=.example.com" matchs "https://application.sub.example.com" so SMSESSION cookie was submitted.
#2 Web Agent accepts the cookie as the session information was valid and updates the cookie. Here the #2 Agent will set SMSESSION cookie with based on its ACO setting "cookiedomain=.sub.example.com".
This results in setting SMSESSION cookie using "Domain=.sub.example.com" flag.

As there are no SMSESSION cookie which had "Domain=.sub.example.com" flag, browser basically sets a new SMSESSION cookie.

This result in 2 SMSESSION cookies when visiting "https://application.sub.example.com" as both ".example.com" and ".sub.example.com" match.

3. User now navigates back to #1 and logout.
Here browser only submits ".example.com" cookie.

Agent will perform the logout by setting SMSESSION (for .example.com) value to LOGGEDOFF.

4. User now navigates to #2 and both cookies get submitted.
"SMSESSION=LOGGEDOFF; Domain=.example.com"
"SMSESSION=XXXYYYZZZ; Domain=.sub.example.com"

There is no HTTP specification to say which cookie must be submitted first.
As both SMSESSION cookies are submitted, it could be a random use case but as long as the ".sub.example.com" cookie gets submitted first, it is a valid session so the protected resource can be accessed.

If ".example.com" cookie was submitted first then the browser would have been redirected to a login page.

It is important to ensure all the agents will have synchronized cookie settings so they will be overwriting each other resulting in just 1 SMSESSION cookie at the browser.

In the above sample, "cookiedomain=.example.com" would be the correct configuration.