|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager, Authentication Agent for Web
RSA Version/Condition: 8.1 SP1 Patch 13, 8.0 for IIS
Platform: Suse Linux, Windows
|Issue||This issue is specific to the Chrome browser.|
When a user navigates to a web application protected by RBA on a shared Windows Platform, if Chrome is used. First user will have to authenticate with RBA, but if the second user also uses Chrome, then that second user does not have to authenticate to get to the same application, even after closing the browser and rebooting the machine. The only way to get back to the authentication screen is to fully clear history in Chrome. This behavior is not happening in Internet Explorer or Firefox.
|Cause||Chrome caches cookie and history data, and does not automatically clear this data on closing the browser.|
It is more persisting in its handling of sessions/credentials, and may be holding the original credentials or cookies from the original device history, in effect overriding the clearing of cookies that normally occurs when a browser is closed.
|Resolution||Perform Step 1 first to clear device history, and optionally step 2 of the following tasks;|
1. Clear Device History in the Security Console for this Web RBA agent for both/all users sharing it. Go to Identity > 'Manage Enabled Users', locate the user in question and then from the context menu select 'Risk-Based Authentication'.
Then click on 'Delete Device History' to clear all registered devices.
2. Optionally, Increase the Assurance Level in the RBA Policy that applies to these users, if the Step 1 does not fix the Chrome Users
The above steps (1 & 2) should be performed for any change in the RBA Policy Assurance Settings to take effect
|Workaround||Manually Clear Chrome Browser history (or) Download and install the "Click&Clean" plug-in for Chrome, which allows it to be configured to work like both IE and FireFox currently do.|
(After installation of the "Click&Clean" plug-in for Chrome, Ensure to configure ALL of the Clear/Delete/Empty Chrome Settings from "The Beginning of Time" and the Extra settings to delete Private data when Chrome exits)
Download Location of the "Click&Clean" Plugin given below:
The Click&Clean Website:
|Notes||Tracked in Jira AM-29997 : Chrome Browser History stores AM 8.1 SP1 RBA cookie, 2nd user automatically logged in.|