000033120 - Chrome does not clear the cookie on logout from Authenticaiton Manager 8.1 SP1 P13 RBA-protected application

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033120
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager, Authentication Agent for Web
RSA Version/Condition: 8.1 SP1 Patch 13, 8.0 for IIS
Platform: Suse Linux, Windows
IssueThis issue is specific to the Chrome browser.
When a user navigates to a web application protected by RBA on a shared Windows Platform, if Chrome is used. First user will have to authenticate with RBA, but if the second user also uses Chrome, then that second user does not have to authenticate to get to the same application, even after closing the browser and rebooting the machine. The only way to get back to the authentication screen is to fully clear history in Chrome. This behavior is not happening in Internet Explorer or Firefox.
 
CauseChrome caches cookie and history data, and does not automatically clear this data on closing the browser.
It is more persisting in its handling of sessions/credentials, and may be holding the original credentials or cookies from the original device history, in effect overriding the clearing of cookies that normally occurs when a browser is closed.
ResolutionPerform Step 1 first to clear device history, and optionally step 2 of the following tasks;
1. Clear Device History in the Security Console for this Web RBA agent for both/all users sharing it. Go to Identity > 'Manage Enabled Users', locate the user in question and then from the context menu select 'Risk-Based Authentication'. 
RBA Clear Device
Then click on 'Delete Device History' to clear all registered devices.
2. Optionally, Increase the Assurance Level in the RBA Policy that applies to these users, if the Step 1 does not fix the Chrome Users
RBA Policy
The above steps (1 & 2) should be performed for any change in the RBA Policy Assurance Settings to take effect
 
WorkaroundManually Clear Chrome Browser history (or) Download and install the "Click&Clean" plug-in for Chrome, which allows it to be configured to work like both IE and FireFox currently do.
(After installation of the "Click&Clean" plug-in for Chrome, Ensure to configure ALL of the Clear/Delete/Empty Chrome Settings from "The Beginning of Time" and the Extra settings to delete Private data when Chrome exits)
Click settings

Download Location of the "Click&Clean" Plugin given below:
Chrome Website:
https://chrome.google.com/webstore/detail/clickclean/ghgabhipcejejjmhhchfonmamedcbeod/reviews?hl=en
(or)
The Click&Clean Website:
http://www.hotcleaner.com/
 
NotesTracked in Jira AM-29997 : Chrome Browser History stores AM 8.1 SP1 RBA cookie, 2nd user automatically logged in.

Attachments

    Outcomes