Showing results for 
Search instead for 
Did you mean: 

SA as reverse proxy and persistent sessions

Occasional Contributor

SA as reverse proxy and persistent sessions

I'm probably asking the same question that dozens, if not hundreds of others have asked...


When using the SA as a reverse proxy, how can I enforce session termination after the user has closed their browser?  I've tried the disable persistent session option, no joy with any browsers that support multiple tabs.


Even if a user has multiple browser windows open, with only one associated with the SA, if they close the SA application window, they can open a new window and bypass the first factor authentication. 

Any suggestions would be greatly appreciated.



Respected Contributor

Re: SA as reverse proxy and persistent sessions

When using a browser that shares the cookies between multiple tabs/windows, the cookie is accepted as valid (since it is). In order to not allow this, you will need to use an aggressive idle session timeout; there is no way to clear the cookie/session until the user logs out OR the session times out.

This is a limitation of the cookie sharing.