A user with a persistent session requests a resource that's protected with a higher authentication level than the user's current session.  The user completes the step-up authentication and accesses the resource.  The user then logs off, but is able to replay their session using a saved session cookie.

All supported releases

Normally the policy server will update the existing stored session during step-up authentication, but in this case it was creating a new session.  Thus, when the user logged out, the new session was deleted, but the old session remains and can be replayed.  Upon examining a browser trace, it was clear the custom auth scheme in use was making a login attempt for a different user.  This injection of a different user name during the step-up authentication caused Siteminder to process the subsequent login as a new session rather than a step-up of an existing session.

For step-up authentication to reuse an existing session as designed, there can be no username switch or other inconsistencies during the step-up authentication, else the web agent may lose context.