Why can we re-use SMSESSION cookie after Logout ?
You could steal a SMSESSION cookie and replay it for future requests in another browser or same browser until the Session expiration.
The Session expiration is located inside the cookie itself and when a Web Agent decodes it, it will verify for the Session Timeout
(Max/Idle) directly from the session, and will not validate it by default against the Policy Server.
The scenario above is not an expected situation, as normally in a secure Network, nobody will steal a SMSESSION cookie.
You can use the following solutions for this issue :
1. Implement Enhanced Session Assurance with DeviceDNA
Documentation: Enhanced Session Assurance with DeviceDNA
2. Use Persistent session/realms with a short Session Validation Period
For persistent sessions only, you can specify the time period that the Web Agent caches the result of a session validation call to the Policy Server.
Session validation calls perform two functions: informing the Policy Server that a user is still active and checking that the user session is still valid.
After a Logoff, the session is removed from the Session store, so if you attempt to replay a SMSESSION cookie after the validation Period,
the Web Agent will contact the Policy Server and find that the session is invalid and will reject the user session.
Documentation: User Sessions - Persistent and non-Persistent
Documentation: Configure Enhanced Session Assurance with DeviceDNA
Thank you for the tips Julien!
TechTip: Why can we re-use SMSESSION cookie after Logout ?
TechTip:How to remove SMSESSION logging in Apache access.log and IIS logs ?