On a Shared Device, when performing an authentication flow using the VIP Authentication Hub APIs, the system allows a login based on an existing sspsession cookie even if the SUBJECT specified in the authenticate request payload belongs to a different user.

Users see the following API response despite expecting a password or factor challenge:

• nextaction: "AUTH_ALLOWED"
• message: "Reauthentication is not required as no new factor found"

Any IDSP release up to 4.0

The system prioritizes the valid sspsession cookie found in the browser over the SUBJECT provided in the request payload. It does not perform a validation check to ensure that the user identity in the cookie matches the user identity requested in the API call.

This behavior is identified as a product limitation and is scheduled to be addressed in the 4.1 IDSP Release.

Until version 4.1 is deployed, ensure that the sspsession cookie is explicitly cleared or invalidated during logout or when switching user contexts to prevent the system from reusing an existing session for a different subject on a Shared device.