My security team come to test MSCRM application (IFD ADFS) in case "cookie replay attack".

When user signout from CRM and they snap request and cookies then use it to replay request for teset case "cookie replay attack".

They able to get data from crm !!!.In this case application is fail in security test.

How should i do to fix it to check user is authenticated before allowed to call other service.