Bookshelf Home | Contents | Index | PDF |
Siebel Security Guide > Security Features of Siebel Web Server Extension > About Using Cookies with Siebel Business Applications > Session CookieThe session cookie consists of the session ID generated for a user's session. This cookie is used to manage the state of the user's session. The session cookie applies to the Siebel Web Client only. Cookie modes are determined on the SWSE by the setting of the SessionTracking parameter in the eapps.cfg file. The settings are Automatic, Cookie, or URL.
For information about setting parameter values in the eapps.cfg file, see Configuration Parameters Related to Authentication. Some Siebel Business Applications requirements relating to the settings of the SessionTracking parameter are as follows:
For information about server redirection mechanisms that involve cookies, see Siebel Portal Framework Guide. Session Tracking Using CookiesThis topic describes the behavior of cookie-based mode. Cookie-based mode applies when SessionTracking is set to When a user successfully logs into the application, a unique session ID is generated. The components of the session ID are generated in the Siebel Server and sent to the Session Manager running in the SWSE. In cookie-based mode, the session ID is passed to the user's browser in the form of a nonpersistent cookie. Session ID components include the applicable server ID, process ID, and task ID, combined with a timestamp. All values are in hexadecimal form, as shown: server_ID.process_ID.task_ID.timestamp For example, the session ID might resemble this: The session cookie is nonpersistent and is stored in memory only. It stays in the browser for the duration of the session, and is deleted when the user logs out or is timed out. The session ID is encrypted in the cookie if the EncryptSessionId parameter is set to TRUE in the eapps.cfg file. The RC2 algorithm encrypts the session ID in the cookie using a 56-bit encryption key. The result of this encryption is then encoded using base64 Content-Transfer-Encoding. Encrypting the session ID prevents unauthorized attackers from capturing the cookie and determining its format. You can increase the encryption key length to 128-bits for RC2 and up to 256-bits for AES. To increase the encryption key length, you have to install the Siebel Strong Encryption Pack. For more information about the Siebel Strong Encryption Pack, see About the Siebel Strong Encryption Pack. For every application request that the user makes during the session, the cookie is passed to the Web server in an HTTP header as part of the request. Without a valid cookie in the HTTP header, the Web server will not honor that request. NOTE: If the user changes the password during an application session, then the password information in the session cookie might no longer allow the user to access the Siebel Reports Server during this session. (This issue applies when using both database authentication and password hashing.) After changing the password, the user must log out and log in again in order to be able to run reports. Session Tracking Using URLsThis topic describes session tracking behavior when URLs rather than cookies are used to manage user sessions. When SessionTracking is set to URL, or when SessionTracking is set to Automatic and the user's browser does not accept cookies, the session ID is passed as an argument in the SWE construct of the URL. Any URL request passed to the Web server from the browser must include a valid session ID, or the Web server rejects it. The session ID in the URL is encrypted if the EncryptSessionId parameter is set to You can increase the encryption key length to 128-bits for RC2 and up to 256-bits for AES. To increase the encryption key length, you have to install the Siebel Strong Encryption Pack. For more information about the Siebel Strong Encryption Pack, see About the Siebel Strong Encryption Pack. A user session is managed using URLs when the browser does not send back a session cookie to the Siebel Web Engine. This event can be caused by cookies being disabled in the user's browser, or by a browser that does not support cookies. You might want Siebel Business Applications to manage all user sessions using URLs instead of cookies if, for example, security requirements do not permit cookies. |
Siebel Security Guide | Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices. | |