I have setup WAP/ADFS4.0 with a published IIS non-claims-based application with pre-authentication and kerberos. On WAP the Signout option is enabled for the application so a sign-out cleans up the EdgeAccessCookie and you need to log on again after a signout or closing the Chrome browser.
But if the EdgeAccessCookie is stolen before logout (with a Chome Extension like "EditThisCookie") , the hacker could re-use the cookie to sign-in. As long as the -PersistentAccessCookieExpirationTimeSec is valid on the WAP server for the published application, the cookie can be used to log on. (With a good claims-based application you can invalidate the session server-side, so the cookie replay can be avoided).
So far, so good.
My question is: when I use a Mitm like Fiddler or Charles (with HTTPS inspection), I can "repeat" the action long after the PersistentAccessCookieExpirationTimeSec specification is expired! Why is WAP taking in account the setting PersistentAccessCookieExpirationTimeSec with a browser and not with Fiddler or Charles?
I assume it is not a bug but I'm missing something...