Why can we re-use SMSESSION cookie after Logout ?

Document ID : KB000014091
Last Modified Date : 14/02/2018
Show Technical Document Details

Why can we re-use SMSESSION cookie after Logout ?


You could steal a SMSESSION cookie and replay it for future requests in another browser or same browser until the Session expiration.

The Session expiration is located inside the cookie itself and when a Web Agent decodes it, it will verify for the Session Timeout 

(Max/Idle) directly from the session, and will not validate it by default against the Policy Server.

The scenario above is not an expected situation, as normally in a secure Network, nobody will steal a SMSESSION cookie.


You can use the following solutions for this issue :


1. Implement Enhanced Session Assurance with DeviceDNA

Documentation: Enhanced Session Assurance with DeviceDNA


2. Use Persistent session/realms with a short Session Validation Period 

For persistent sessions only, you can specify the time period that the Web Agent caches the result of a session validation call to the Policy Server. 

Session validation calls perform two functions: informing the Policy Server that a user is still active and checking that the user session is still valid.

After a Logoff, the session is removed from the Session store, so if you attempt to replay a SMSESSION cookie after the validation Period, 

the Web Agent will contact the Policy Server and find that the session is invalid and will reject the user session.


Additional Information:

Documentation: User Sessions - Persistent and non-Persistent

Documentation: Configure Enhanced Session Assurance with DeviceDNA