Description:
The authentication scheme used is a basic authentication.
When a user has been idle for some time, the idle timeout configured in the protecting realm configuration ends the session. Accessing the resource they will face a Basic challenge.
If the user cancels the credentials challenge box, then edits the URL browser, they gain access again without authenticating.
Applies to the SiteMinder Policy Server any version
When authenticating with HTTP Basic, the client is challenged the first time only because the Authorization header isn't being sent from the client again. Once it has been sent and the server sends something other than a 401, the client caches those credentials and re-sends them with every request.
To avoid this problem, you will have to use Form based authentication.
Some more details on what is happening:
When you use a basic authentication, and you hit a protected page, the Web Agent sets a cookie to your browser called SMCHALLENGE=YES at the same time when it prompts you. Then, when you post your credentials, SiteMinder will expect to see this cookie played by the browser along with the credentials.