Siebel Security Guide > Security Features of Siebel Web Server Extension > About Using Cookies with Siebel Business Applications >

Session Cookie

The session cookie consists of the session ID generated for a user's session. This cookie is used to manage the state of the user's session. The session cookie applies to the Siebel Web Client only.

Cookie modes are determined on the SWSE by the setting of the SessionTracking parameter in the eapps.cfg file. The settings are Automatic, Cookie, or URL.

• Using the default SessionTracking setting of Automatic, the SWSE runs in cookie-based mode. However, if a browser does not support cookies or if a user's browser is configured to not allow cookies, the SWSE uses URLs instead of cookies.
• To force the SWSE to always use cookie-based mode, set SessionTracking to Cookie.
• To force the SWSE to always use URLs, and not cookies, set SessionTracking to URL.

For information about setting parameter values in the eapps.cfg file, see Configuration Parameters Related to Authentication.

Some Siebel Business Applications requirements relating to the settings of the SessionTracking parameter are as follows:

• The Quick Print feature requires that SessionTracking be set to either Automatic (the default) or URL. For information about using this printing feature, see Siebel Fundamentals. For information about browser requirements for this feature, see Siebel System Administration Guide.
• Inbound EAI HTTP Transport requires cookie-based mode. You can omit the SessionTracking parameter, or set it to either Automatic (the default) or Cookie, in each eapps.cfg file section whose name starts with eai. For more information about inbound EAI HTTP Transport, see Transports and Interfaces: Siebel Enterprise Application Integration and other relevant Siebel EAI documentation.
• Remember My User ID and Password requires that SessionTracking be set to either Automatic (the default) or Cookie. Make sure that cookies are enabled in the browser. See also the description of the auto-login credential cookie.

For information about server redirection mechanisms that involve cookies, see Siebel Portal Framework Guide.

Session Tracking Using Cookies

This topic describes the behavior of cookie-based mode. Cookie-based mode applies when SessionTracking is set to Cookie, or when SessionTracking is set to Automatic and the user's browser accepts cookies.

When a user successfully logs into the application, a unique session ID is generated. The components of the session ID are generated in the Siebel Server and sent to the Session Manager running in the SWSE. In cookie-based mode, the session ID is passed to the user's browser in the form of a nonpersistent cookie.

Session ID components include the applicable server ID, process ID, and task ID, combined with a timestamp. All values are in hexadecimal form, as shown:

server_ID.process_ID.task_ID.timestamp

For example, the session ID might resemble this:

sn=!1.132.6024.3ca46b0a

The session cookie is nonpersistent and is stored in memory only. It stays in the browser for the duration of the session, and is deleted when the user logs out or is timed out.

The session ID is encrypted in the cookie if the EncryptSessionId parameter is set to TRUE in the eapps.cfg file. The RC2 algorithm encrypts the session ID in the cookie using a 56-bit encryption key. The result of this encryption is then encoded using base64 Content-Transfer-Encoding. Encrypting the session ID prevents unauthorized attackers from capturing the cookie and determining its format.

You can increase the encryption key length to 128-bits for RC2 and up to 256-bits for AES. To increase the encryption key length, you have to install the Siebel Strong Encryption Pack. For more information about the Siebel Strong Encryption Pack, see About the Siebel Strong Encryption Pack.

For every application request that the user makes during the session, the cookie is passed to the Web server in an HTTP header as part of the request. Without a valid cookie in the HTTP header, the Web server will not honor that request.

NOTE:  If the user changes the password during an application session, then the password information in the session cookie might no longer allow the user to access the Siebel Reports Server during this session. (This issue applies when using both database authentication and password hashing.) After changing the password, the user must log out and log in again in order to be able to run reports.

Session Tracking Using URLs

This topic describes session tracking behavior when URLs rather than cookies are used to manage user sessions. When SessionTracking is set to URL, or when SessionTracking is set to Automatic and the user's browser does not accept cookies, the session ID is passed as an argument in the SWE construct of the URL. Any URL request passed to the Web server from the browser must include a valid session ID, or the Web server rejects it.

The session ID in the URL is encrypted if the EncryptSessionId parameter is set to TRUE in the eapps.cfg file. The RC2 algorithm encrypts the session ID by using a 56-bit encryption key unless the SWSE specifies the encryption key length. The result of this encryption is then encoded using Base64 Content-Transfer-Encoding. Encrypting the session ID prevents unauthorized attackers from capturing the cookie and determining its format.

You can increase the encryption key length to 128-bits for RC2 and up to 256-bits for AES. To increase the encryption key length, you have to install the Siebel Strong Encryption Pack. For more information about the Siebel Strong Encryption Pack, see About the Siebel Strong Encryption Pack.

A user session is managed using URLs when the browser does not send back a session cookie to the Siebel Web Engine. This event can be caused by cookies being disabled in the user's browser, or by a browser that does not support cookies.

You might want Siebel Business Applications to manage all user sessions using URLs instead of cookies if, for example, security requirements do not permit cookies.