topic Re: Chromebook Kiosk Session Cookies in Policy & Access Control

Chromebook Kiosk Session Cookies

Bozz — Wed, 03 Sep 2025 13:34:11 GMT

I have a Chromebook that is in Kiosk mode and points to a specific URL for timeclock login. The timeclock system is protected with DUO. The issue is, after a person logs in to the url with duo and then logs out, when the next person logs in it automatically sends a code to the previous person. I have the Chromebook set to force incognito mode and to not store any history, but I can't seem to get it to clear the session cookie from the first DUO login. I'm hoping I am just missing a setting in Chrome management or the DUO policy. Thanks in advance!

Re: Chromebook Kiosk Session Cookies

DuoKristina — Wed, 03 Sep 2025 20:57:56 GMT

Hmm, here's someone who seems to have the same complaint. https://support.google.com/a/thread/323185632/erase-cookie-when-leaving-kioskmode?hl=en

Are you using Duo SSO (is the timeclock app SAML or OIDC federated with Duo SSO)?

You could set the Duo SSO session duration to 0, which would make someone sign on every time the app was accessed.

If you have other apps federated with Duo SSO or workstations not in kiosk mode don't do this, as it will annoy all your other users.

If it's a SSO app, does the timeclock application support a single log-out URL and is it configured for that app in Duo? More details about SLO support in Duo SSO.

Re: Chromebook Kiosk Session Cookies

Bozz — Thu, 04 Sep 2025 13:14:04 GMT

Thank you! I am not sure that is going to help as they never actually login to the Chromebook. They are just signing out of a webpage that is running in kiosk mode. We are using DUO with AD as the authority for a lot of our MFA stuff, so I am not sure I could set that session duration setting unless it can be done in a specific policy just for this application. I'll check into the single log-out option.