I'm probably asking the same question that dozens, if not hundreds of others have asked...
When using the SA as a reverse proxy, how can I enforce session termination after the user has closed their browser? I've tried the disable persistent session option, no joy with any browsers that support multiple tabs.
Even if a user has multiple browser windows open, with only one associated with the SA, if they close the SA application window, they can open a new window and bypass the first factor authentication.
When using a browser that shares the cookies between multiple tabs/windows, the cookie is accepted as valid (since it is). In order to not allow this, you will need to use an aggressive idle session timeout; there is no way to clear the cookie/session until the user logs out OR the session times out.