When a user has been idle for some time then the idle timeout configured in the protecting realm configuration ends the session.
If the user cancels the credentials challenge box and edits the URL browser, he gains access again without authenticating.
The authentication scheme used is a basic authentication.
What is happening there? How can we fix this issue?
When the user cancels the challenge box to enter his credentials and modify the URL, the Web browser is then sending the credentials itself.
There is no way to forbid this to happen with a basic authentication.
If you want to avoid this problem, you will have to use Form based authentication.
Some more details on what is happening:
When you use a basic authentication, and you hit a protected page, the Web Agent sets a cookie to your browser called SMCHALLENGE=YES at the same time when it prompts you. Then, when you post your credentials, SiteMinder will expect to see this cookie played by the browser along with the credentials.