Symantec Access Management

  • Private Community
 View Only

  • 1.  Session not logged out from Policy server

    Posted Aug 17, 2020 09:03 AM
    Dear Team,

    In all the SM Protected applications, when we logout from application, then session is getting logged off from browser but not from policy server.

    Ideally, in case if we have logged out from session then session is invalidated and in case if it is saved by someone, then user should not get logged in.

    We have already set Logoff URI in ACO parameter but still could not see any call from webagent to policy server, where session is invalidated and not available for future use.

    Thanks
    Annu Singh


    ------------------------------
    Regards
    Annu Singh
    ------------------------------


  • 2.  RE: Session not logged out from Policy server

    Broadcom Employee
    Posted Aug 17, 2020 09:18 AM

    Hi Annu,

    Persistent sessions are required in order to prevent the type of session replay you outlined.  When a user has a persistent session, their session information is stored centrally in the session store, thus when the user logs out their centralized session will be invalidated and their session cookie cannot be replayed.  Also, if a cookie provider is in use, it's important to make sure all the user's session cookies are invalidated during logout.  The following doc link explains how to do this:

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/comprehensive-log-out.html

    Regards,
    Pete


    Original Message