How do I delete ServiceNow Session (HTTPOnly) cookies during SSO login process?

BabyYoda · ‎06-29-2020

Use case: User logs into client system as User A. User SSOs into ServiceNow (SN). User doesn't log off SN and closes tab/window. User logs out of client system and logs into client system as User B and then SSOs into SN. What I'm observing is SN doesn't show User B but User A, most likely because the glide session cookies are still active for User A, even though the client system user is User B. SN bypasses SSO check because session cookies exist. I'd like SN to address this. Until they do, the next best approach, I think, is deleting the cookie information.

One problem is I have no idea where you'd set or delete these cookies in the first place in SN. Second, I don't know the workflow steps SN uses for the SSO process. If I can isolate to where SN decides to trigger the MultiSSO authentication step, maybe I can add the cookie information there. I just don't know where and how to start. If I knew where cookies were set and were they could be deleted, that'd be a big help.

Anybody have any suggestions or guidance? Thank you for your help in advance.

Sukraj Raikhraj · ‎06-29-2020

Are the user using the same pc and browser session? What's the SSO client?

BabyYoda · ‎06-29-2020

Yes. Same PC and browser session. The SSO client is just another website.

From what I observed, SN does not bother to log out the previous session if a new SSO session is trying to be established. It just assumes it's the same session instead of trying to perform SSO authentication. I'm trying to institute a workaround, which is deleting the cookies. But I don't know where to start with that. Where are cookies set in SN? Is it behind compiled code? How would you expire cookies in SN for this particular issue?

Siva74 · ‎10-15-2020

Hi, Even I am running into the same problem. Were you able to fix?

Jahnavi6 · ‎04-27-2021

Hi Siva, have you fixed this issue?