Authpoint - Access Portal Cookies

Hi,

We have an issue with authpoint SAML in conjunction with the Access Portal.
When closing the Access Portal web interface, the authentication cookie stays active/valid for the time-out threshold set under Authentication > Settings > Firewall Authentication.

When users close their browser and let's say re-open it, or someone else does, within the time-out settings threshold, they have access right away without having to re-authenticate.

This is a big security risk!

Is there an option to remove the cookie on browser window close?

We know a user should use the 'Log Out' button, but you know how users are, they just close a window.

Is this available/manageable with the Access Portal and Authpoint SAML.

Close browser -> delete cookie -> open browser, re-authenticate!

(even though it was within Session/Idle threshold under Authentication > Settings > Firewall Authentication).

Regards,

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @IHCS
    Access portal follows the timeout settings from SSLVPN for auth sessions, but in general, just having it open will create traffic.

    If you're using shared computers with shared logins via the access portal, I'd suggest setting the browsers up to clear cookies on exit. That will clear the Access Portal and any other open session in that browser.

    -James Carson
    WatchGuard Customer Support

  • edited February 9

    Seems like we have another issue actually, I made a bad explanation of the issue. When the users actually are timed-out, they refresh the page and are logged right back in... That's a serious security issue!

    IE:
    I was logged in to the Access Portal. At some point my RDP sessions disconnected after waiting a while and the Access Portal main page said, Login Expired.
    I refresh the page and I'm logged right back in without re-authenticating.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @IHCS
    I'd suggest creating a support case if you haven't done so already. We would really need to see the logs from the firebox to see what's happening.

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    We've set timers for the Firebox Authentication parameters and the Access Portal both to
    120 minutes session
    60 minutes idle.

    We'll monitor the results and come back afterwards, perhaps open a ticket.

  • James,
    In reply to your: 'If you're using shared computers with shared logins via the access portal, I'd suggest setting the browsers up to clear cookies on exit. '

    I cannot control publicly available computers or computers from other companies. People access the portal from random places as they should be able to.

Sign In to comment.