Hi Ankush,
This has been covered extensively by our KB (Knowledge Base) articles:
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec544015.aspx
For your quick reference here is the snippet from the KB :
There are several ways to prevent replay of cookies:
- Enable SSL across your entire site;
- Turn on IP checking on the Web Agent with transient IP check;
- Set your session timeout values (idle/max) to a "low" value.
- Enable the Session Store. The Session Store is used by the Policy Server to centrally manages/store a user's session information. When a user logs out via the Web Agent, the session is marked as invalid by the Policy Server in the Session Store. This keeps anyone else from using that same session information when trying to reply a SMSESSION cookie.
- Roll over Web Agent keys regularly;
- Set the ACO parameters TransientIDCookies to no and PersistentCookies to yes;
- Set the UseHTTPOnlyCookies ACO parameter to yes;
Refer to these Technical Documents for further information related to each point above:
TEC457904
TEC459098
TEC457949
TEC451146
TEC458952
That said, the best and the most full proof solution till date is using "Session Assurance/Device DNA" feature.
This has been covered here : https://www.youtube.com/watch?v=S0Atd_JFML0
I hope all of these should give you enough to implement solution that is best suitable for you.
Cheers,
Ujwol Shrestha