Hi Rahil,
From your quote1: "He opened another browser (Google Chrome) and try to access App1 , He is challenged for Login --> Entered correct credentials --> Got Error Page Additional Login not allowed. "
<RY> I believe when you entered correct credentials, browser session is created(Meant pd-s-session cookie set) and WebSEAL further sends user to error page. Assuming session is set on the second browser irrespective of error page, a logout should terminate the duplicate session if any. Could you try and add a dummy Image html tag with src pointing "/pkmslogout" in the head section or duplicate session error page? <RY>
From your quote2: But, being in the same browser (Google Chrome) , User paste the copied URL (App1 homepage url) and he is successfully redirected to App1 homepage. (Note: On ISAM only one session still and session value also still same. Its not altered)
<RY> With dummy image src tag suggested above clearing browser session in Chrome, WebSEAL should prompt for login when user pastes protected App1 home page URL?. This might get you temporarily out of Sec audit <RY>
Regards,
Rama
------------------------------
Rama Yenumula
------------------------------
Original Message:
Sent: Tue January 14, 2020 09:37 PM
From: Padam Khatana
Subject: Concurrent Sessions are enabled but Users are able to access application in two different browsers
Hello,
How many webseal server instances are there where standard junction is created for App1.
Also session is shared across the browser tabs and some browsers also support session sharing in new window. Check this with the help of fiddler how session is managed by the browser.
------------------------------
Padam Khatana
Original Message:
Sent: Tue January 14, 2020 09:01 AM
From: Rahil Anwar
Subject: Concurrent Sessions are enabled but Users are able to access application in two different browsers
Hi,
We have enabled the concurrent sessions limit to 1 and its working fine. But, in security audit there is one vulnerability raised.
i.e. user Rahil access the ISAM Protected Application (App1) in IE and user logged into App1 successfully. User copy the App1 homepage. (Note: On ISAM only one session is there)
He opened another browser (Google Chrome) and try to access App1 , He is challenged for Login --> Entered correct credentials --> Got Error Page Additional Login not allowed.
But, being in the same browser (Google Chrome) , User paste the copied URL (App1 homepage url) and he is successfully redirected to App1 homepage. (Note: On ISAM only one session still and session value also still same. Its not altered)
User Rahil is able to access the App1 in both IE and Google Chrome.
Your comments and a way to restrict if any from ISAM side
Thanks,
Rahil
------------------------------
Rahil Anwar
------------------------------