Problem Statement:
In our tenant we have non-persistent sessions enabled. But when the tab, window, or browser is closed and reopened, the session persists.
Solution:
There could be a couple reasons for sessions persisting. The browser being used, the browser settings, and the operating system all can affect this feature.
- If the user has a session restore setting on the browser enabled, restoring the session also restores the session cookie.
- Additionally closing the tab by itself is not enough to end the session. For example on MacOS, the browser needs to be completely closed with command + Q.
- If the session was created through a federated IdP connection, this feature will not work.
Reference: