Description:

There is a limitation for Siteminder integration with SharePoint 2007 when following technical document (TEC484560 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication).

After integration, if user with uid USER1 login to SP2007 and doesn't click on SignOut button in SharePoint 2007 but close the browser only; other user with uid USER2 open a new browser and submit USER2 credentials, the current login in SP2007 is still showing USER1 and not USER2.

Solution:

This is a limitation of SP2007 FBA (Form Based Authentication).

For SP2007's Basic Authentication, it sets "Session" cookie.

For SP2007's Form Based Authentication, it has option to set either "Session" or "Persistent" cookie.

However, if a custom login page is used, the cookie is set as "Persistent" by default. This is SharePoint design.

With SharePoint FBA, in order to gain access to Office documents, the ".ASPXAUTH" cookie needs to be persistent or the ".ASPXAUTH" cookie will not be shared across browser windows, so a User would be re-prompted to gain access to Office Documents.

As such, when you use custom login page (such as SiteMinder Forms Authentication Scheme), to provide access to these Office documents, the ".ASPXAUTH" cookie is created as a 'Persistent' cookie instead of as a 'Session' cookie.

If you plan to host Office Documents on the SharePoint site, the ".ASPXAUTH" cookie must be persistent, or it will not be presented since "Session" cookies are not shared across the browser windows and office document can't be viewed. The ".ASPXAUTH" cookie affects office documents but not Non-MS Documents such as pdf file. It means either ".ASPXAUTH" cookie is 'Persistent' or 'Session', users can view pdf file in SP2007 without second login.

Please refer to the following Microsoft link, which details the Limitations with SharePoint FBA Authentication and Office Documents; http://msdn.microsoft.com/en-us/library/bb977430.aspx.

There are 2 workaround to limit the impact of the persistent cookie (.ASPXAUTH):

1. Setting 'timeout' and 'slidingExpiration' in web.config of SP2007. If the 'timeout' value in the web.config file for "Forms" set to a value of 5 minutes ('slidingExpiration' default is True), the cookie will expire in 5 minutes, unless another resource is accessed by the user within the 5 minute timeout, in which case the ".ASPXAUTH" cookie is re-set to expire in an additional 5 minutes. http://www.asp.net/learn/security/tutorial-03-vb.aspx.
   
   However, this will not work if the second user login within 5 minutes.
   
   
2. Write a custom code (ex: javascript) to clear ".ASPXAUTH" cookie if customer closes browser without click "Signout". This involves Microsoft API on how to clear ".ASPXAUTH" cookie and customer should check with Microsoft for more information.