| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
Siebel Business Applications running in the Web browser use cookies for a variety of purposes. This topic describes the types of cookies used and provides instructions for enabling cookies for Siebel Business Applications.
All cookies used by Siebel Business Applications are encrypted using standard encryption algorithms. Siebel Business Applications use the following kinds of cookies:
Session cookie. Manages user sessions for Siebel Web Client users. For details, see "Session Cookie".
Auto-login credential cookie. Stores user credentials for Siebel Web Client users. For details, see "Auto-Login Credential Cookie".
|
Note: It is recommended that you always run Siebel applications using HTTPS mode in order to mark cookies as secure. This ensures that security does not mix secure and insecure content. Applications run using HTTP mode will not mark cookies as secure. |
Using cookies helps to maintains user session information. Browsers with cookies disabled cannot maintain a Siebel user session. Siebel does not support or recommend cookieless mode.
Related Topic
"Enabling Cookies for Siebel Business Applications"
The session cookie consists of the session ID generated for a user's session. This cookie is used to manage the state of the user's session. The session cookie applies to the Siebel Web Client only.
Web browsers with cookie handling disabled cannot maintain a Siebel user session.
When a Siebel Web Client user successfully logs into Siebel Business Applications, a unique session ID is generated for that user. The steps involved in a user session are as follows:
The components of the session ID are generated in the Siebel Server and sent to the Session Manager running in the Siebel Application Interface.
The session ID is passed to the client in a cookie.
The following occurs:
The session ID is passed to the user's browser in the form of a nonpersistent cookie which is stored in memory. It stays in the browser for the duration of the session, and is deleted when the user logs out or is timed out.
For every application request that the user makes during the session, the cookie is passed to the Web server in an HTTP header as part of the request.
The Siebel Application Interface parses the incoming cookie to obtain the session ID and, if the ID is valid, processes the request. If the HTTP header does not include a cookie containing a valid session ID, then the Web server does not honor that request.
Session cookie is used to maintain a stateful session and the SRN, which is generated after an explicit user login is used to maintain a secure session for the logged in user. SRN protects all writer operations in a user session.
To increase the security of session cookies, Siebel Business Applications assign the Secure attribute to all session cookies by default. Setting the Secure attribute for cookies specifies that the cookies are to be transmitted to Web servers only over HTTPS connections, that is, to Web servers that have enabled TLS.
Siebel session ID is encrypted with AES256.
|
Note: If a user changes their password during an application session, then the password information in the session ID might no longer allow the user to access Siebel Reports during this session. This is the case when using both database authentication and password hashing. After changing the password, the user must log out and log in again in order to be able to run reports. |
This cookie consists of the user name for a given user, and the URL string used to access the application. The auto-login credential cookie is persistent and is stored on the user's browser in encrypted form (it is always encrypted). The AES algorithm encrypts this cookie. The result of this encryption is then encoded using base64 Content-Transfer-Encoding. This cookie applies to the Siebel Web Client only.
The auto-login credential cookie is not mandatory. It is an optional way to allow users not to have to enter their user name every time they log in. If the user subsequently accesses the application URL through another browser window, then the user information is provided to the application so the user does not have to provide it again.
The format of the auto-login credential cookie is as follows:
start.swe=encrypted_user_information
This topic describes how to enable the Microsoft Internet Explorer Web browser to handle cookies used by Siebel Business Applications. These instructions can vary depending on your supported browser version.
|
Note: If you are using a browser other than Internet Explorer to run Siebel Business Applications, see your browser documentation for information on enabling cookies. |
To enable cookies using Internet Explorer
Choose Tools, and then Internet Options.
Click the Privacy tab.
In Privacy settings, click Advanced.
Verify that Override automatic cookie handling is checked. Also consider:
If First-party Cookies is set to Accept, then all Siebel cookies are enabled.
If First-party Cookies are blocked, then you can still enable the session cookie by checking Always allow session cookies.
Click OK, then click OK again.
