Bookshelf Home | Contents | Index | PDF |
Security Guide for Siebel Business Applications > Security Features of Siebel Web Server Extension > Cookies and Siebel Business Applications > Session CookieThe session cookie consists of the session ID generated for a user's session. This cookie is used to manage the state of the user's session. The session cookie applies to the Siebel Web Client only. Cookie modes are determined on the SWSE by the setting of the
For information about setting parameter values in the eapps.cfg file, see Configuration Parameters Related to Authentication. Some Siebel application requirements relating to the settings of the
Cookie-Based ModeThis section describes the behavior of cookie-based mode. Cookie-based mode applies when When a user successfully logs into the application, a unique session ID is generated. The components of the session ID are generated in the Siebel Server and sent to the Session Manager running in the SWSE. In cookie-based mode, the session ID is passed to the user's browser in the form of a nonpersistent cookie. Session ID components include the applicable server ID, process ID, and task ID, combined with a timestamp. All values are in hexadecimal form, as shown: server_ID.process_ID.task_ID.timestamp For example, the session ID may resemble this: The session cookie is nonpersistent and is stored in memory only. It stays in the browser for the duration of the session, and is deleted when the user logs out or is timed out. The session ID is encrypted in the cookie if the NOTE: You can increase the encryption key length to 128-bits for RC2 and up to 256-bits for AES. To increase the encryption key length, you need to install the Siebel Strong Encryption Pack. For more information about the Siebel Strong Encryption Pack, see About Siebel Strong Encryption Pack. For every application request that the user makes during the session, the cookie is passed to the Web server in an HTTP header as part of the request. Without a valid cookie in the HTTP header, the Web server will not honor that request. NOTE: If the user changes the password during an application session, then the password information in the session cookie may no longer allow the user to access the Siebel Reports Server during this session. (This issue applies when using both database authentication and password hashing.) After changing the password, the user should log out and log in again in order to be able to run reports. Cookieless ModeThis section describes the behavior of cookieless mode. Cookieless mode applies when In cookieless mode, the session ID is passed as an argument in the SWE construct of the URL. Any URL request passed to the Web server from the browser must include a valid session ID, or the Web server rejects it. The session ID in the URL is encrypted if the NOTE: You can increase the encryption key length to 128-bits for RC2 and up to 256-bits for AES. To increase the encryption key length, you need to install the Siebel Strong Encryption Pack. For more information about the Siebel Strong Encryption Pack, see About Siebel Strong Encryption Pack. A cookieless session is invoked when the browser does not send back a session cookie to the Siebel Web Engine. This event can be caused by cookies being disabled in the user's browser, or by a browser that does not support cookies. You may want a Siebel application to function in cookieless mode for all sessions for reasons such as security requirements that do not permit cookies. |
Security Guide for Siebel Business Applications |