On April 11, 2019, CERT/cc published a vulnerability note ( VU#192371) describing a vulnerability on how different VPN implementations store session cookies within system memory.

Cisco investigated this issue and determined Cisco AnyConnect is not vulnerable to the behavior described in VU#192371 with regard to storing session tokens in log files. Cisco PSIRT is not aware of any situation where a currently valid session token is written to log files. This is documented in Cisco Bug ID CSCvk10249.

Cisco AnyConnect stores session cookies within system memory to support resumption of Clientless VPN sessions.
The storage of the session cookie within process memory of the client and in cases of Clientless sessions the web browser while the sessions are active are not considered to be an unwarranted exposure. These values are required to maintain the operation of the session per design of the feature should session re-establishment be required due to network interruption. We have documented the concerns and the engineering teams will incorporate this feedback into discussions for future design improvements of the Cisco AnyConnect VPN solution.

It should also be noted that all session material stored by both the Cisco AnyConnect Client and Clientless solutions are destroyed once the sessions is deliberately terminated by the client.