Security Guide for Siebel eBusiness Applications > Security Features of Siebel Web Server Extension > Cookies and Siebel Applications >

Session Cookie

The session cookie consists of the session ID generated for a user's session. This cookie is used to manage the state of the user's session. The session cookie applies to the Siebel Web Client only.

Cookie modes are determined on the SWSE by the setting of the SessionTracking parameter in the eapps.cfg file. The settings are Automatic, Cookie, or URL.

• Using the default SessionTracking setting of Automatic, the SWSE runs in cookie-based mode. However, if a browser does not support cookies or if a user's browser is configured to not allow cookies, the SWSE will function in cookieless mode and use URLs instead.
• To force the SWSE to always use cookie-based mode, set SessionTracking to Cookie.
• To force the SWSE to always use cookieless mode, set SessionTracking to URL.

For information about setting parameter values in the eapps.cfg file, see Configuration Parameters Related to Authentication.

Some Siebel application requirements relating to the settings of the SessionTracking parameter are as follows:

• The Quick Print feature requires that SessionTracking be set to either Automatic (the default) or URL. For information about using this printing feature, see Fundamentals. For information about browser requirements for this feature, see Siebel System Administration Guide.
• Inbound EAI HTTP Transport requires cookie-based mode. You can omit the SessionTracking parameter, or set it to either Automatic (the default) or Cookie, in each eapps.cfg file section whose name starts with eai. For more information about inbound EAI HTTP Transport, see Transports and Interfaces: Siebel eBusiness Application Integration Volume III and other relevant Siebel EAI documentation.
• Remember My User ID and Password requires that SessionTracking be set to either Automatic (the default) or Cookie. Make sure that cookies are enabled in the browser. See also the description of the auto-login credential cookie.
• For information about server redirection mechanisms that involve cookies, see Siebel Portal Framework Guide.

Cookie-Based Mode

This section describes the behavior of cookie-based mode. Cookie-based mode applies when SessionTracking is set to Cookie, or when SessionTracking is set to Automatic and the user's browser accepts cookies.

When a user successfully logs into the application, a unique session ID is generated. The components of the session ID are generated in the Siebel Server and sent to the Session Manager running in the SWSE. In cookie-based mode, the session ID is passed to the user's browser in the form of a nonpersistent cookie.

Session ID components include the applicable server ID, process ID, and task ID, combined with a timestamp. All values are in hexadecimal form, as shown:

server_ID.process_ID.task_ID.timestamp

For example, the session ID may resemble this:

sn=!1.132.6024.3ca46b0a

The session cookie is nonpersistent and is stored in memory only. It stays in the browser for the duration of the session, and is deleted when the user logs out or is timed out.

The session ID is encrypted in the cookie if the EncryptSessionId parameter is set to TRUE in the eapps.cfg file. Encrypting the session ID prevents unauthorized attackers from capturing the cookie and determining its format.

For every application request that the user makes during the session, the cookie is passed to the Web server in an HTTP header as part of the request. Without a valid cookie in the HTTP header, the Web server will not honor that request.

NOTE:  If the user changes the password during an application session, then the password information in the session cookie may no longer allow the user to access the Siebel Reports Server during this session. (This issue applies when using both database authentication and password hashing.) After changing the password, the user should log out and log in again in order to be able to run reports.

Cookieless Mode

This section describes the behavior or cookieless mode. Cookieless mode applies when SessionTracking is set to URL, or when SessionTracking is set to Automatic and the user's browser does not accept cookies.

In cookieless mode, the session ID is passed as an argument in the SWE construct of the URL. Any URL request passed to the Web server from the browser must include a valid session ID, or it will be rejected by the Web server.

The session ID in the URL is encrypted if the EncryptSessionId parameter is set to TRUE in the eapps.cfg file.

A cookieless session is invoked when the browser does not send back a session cookie to the Siebel Web Engine. This event can be caused by cookies being disabled in the user's browser, or by a browser that does not support cookies.

You may want a Siebel application to function in cookieless mode for all sessions for reasons such as security requirements that do not permit cookies.