REPORTS_COOKIE_EXPIRE
environment variable
This environment variable specifies the lifetime of a cookie within a given Reports Server session.
If Single Sign-On is not being used, then any user accessing a secured instance
of the Reports Server is challenged to identify themselves by rwservlet
through its own authentication mechanism (identical to the behavior of Oracle Reports 6i).
Because the HTTP 1.0 protocol is stateless (that is, each call to the server is
effectively independent of all others), users might need to authenticate themselves
for each report request unless a cookie is maintained.
To allow users to authenticate themselves only once per session, rwservlet
has its own client-side cookie, the authid cookie, in which it stores the required
authentication information for the current session. Once the user is authenticated,
an encrypted cookie is created in the browser to enable the user to submit multiple
report jobs without re-authenticating for each request. The authid cookies are
terminated when the user closes their browser session, but you should not rely
strictly on this method of terminating the cookie. You should limit the lifetime
of the cookie within a given session using the REPORTS_COOKIE_EXPIRE
environment variable. For example, a user might log on and then go to lunch,
leaving the browser session open. To minimize the potential for a security breach
in this situation, the administrator may define the REPORTS_COOKIE_EXPIRE
environment variable on the Reports Server. When rwservlet
receives a job request, it compares the time saved in the cookie with the current
system time. If the time is longer than the number of minutes defined in the
environment variable (for example, 30 minutes), the cookie is rejected and the user
is challenged to provide authentication information.
Note: If you want to force users to authenticate themselves for a specific
report, you can use the SHOWAUTH
command line keyword. Alternatively, you can include a %S
in the corresponding report entry in the key map file. This file is usually
called cgicmd.dat
and is located
in ORACLE_HOME/reports/conf
.
%S
forces users to enter their
user name and password each time the report is called.
Valid Values |
Any number of minutes |
Default |
|
REPORTS_COOKIE_EXPIRE=30
"Securing Oracle Reports" chapter in OracleAS Reports Services Publishing Reports to the Web
Copyright © 1984, 2005, Oracle. All rights reserved.