cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How is session maintained with URL param sap-system-login-basic_auth=X

Former Member

on ‎07-23-2010 4:32 PM

0 Kudos

I access a web application in two ways.

Evereything happens as I expect when I do it the first way.

I do not understand what happens when I do it the second way, using the URL param sap-system-login-basic_auth.

I am looking for enlightenment. Here goes:

1. I use http://myserver.com/myapp.html

a) I see a login screen sent by the server where I can supply username and password

b) the application (a flash movie) loads and initializes itself with my personal data by calling some web services

c) a single sign on cookie MYSAPSSO2 gets created

d) I delete the cookie and reload the URL

e) and everything starts from a) all over: I see a login screen etc.

2. I use http://myserver.com/myapp.html?sap-system-login-basic_auth=X

a) I get a browser popup for username and password

b) the application (a flash movie) loads and initializes itself by calling some web services

c) a single sign on cookie MYSAPSSO2 gets created

d) I delete the cookie and reload the URL

e) Immediately a new MYSAPSSO2 cookie gets created and the application loads with my personal data, without re-authentication!

There is no other cookie containing username and password, there is no session id in the URL. How the heck am I logged in automatically with the correct credentials, or reconnected to an existing session, or whatever? I am completely baffled.

-- Sebastian

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎08-07-2012 8:40 AM
0 Kudos

The explanation for the behaviour of 2 (sap-system-login-basic_auth=X) has nothing to do with sessions or cookies. Most browsers remember your basic authentication credentials and don't ask for them the second time. This is true even if you don't ask the browser to remember them (with the checkbox) - until you close your browser it will automatically pass your username password again. In fact it does this for every request until you close your browser or clear your auth cache with javascript (Bookmarklet: javascript:void(document.execCommand('ClearAuthenticationCache'));).

Show replies
Show replies
Former Member
‎07-23-2010 5:33 PM
0 Kudos

Hi Sebastian,

A session cookie is created when you have sap-system-login-basic_auth=X in the URL. It's the reason that you can still load the application without re-authentication. If you have IE Developer Toolbar, you can clear session cookies and try again. It will ask for credentials then.

Regards,

Min

Show replies
Show replies
Former Member
‎07-24-2010 8:37 AM
0 Kudos

Hello Min,

that is what I would have thought. But as I said, the session cookie is the single sign on cookie MYSAPSSO2, and I did delete that. The only other session cookie is sap-usercontext, which only has sap client and logon language. There is no sap-contextid or any other cookie. Thence my confusion. (I haven't checked this in developer, but simply using Firebug/Firecookie. )

-- Sebastian

Former Member
‎07-25-2010 6:50 AM
0 Kudos

Hi Sebastian,

I tried firecookie and it DOES behave like what you said. Firefox works differently than IE apprently. It keeps an "active logins" list. If you go to Tools->Clear Recent History, check Active Logins and click Clear Now, you will get the login popup back.

Min

Former Member
‎07-25-2010 8:23 AM
0 Kudos

oh, thanks- that is a very annoying "featue"! So Firefox keeps you logged in while it is running. Who ever thought of that.

I suppose there are two consequences:

a) production servers should never allow browser basic authentication (it is not secure anyway)

b) if they do, no browser-neutral, purely client-side logout by deleting the session-id is possible.

In Java Servlets, there is javax.servelet.httpsession.invalidate() to remove a session on the serer. Do you happen to know if there is any equivalent in ABAP?

-- Sebastian

mvoros
Active Contributor
‎07-25-2010 11:11 AM
0 Kudos

Hi,

there is a nice [article|http://en.wikipedia.org/wiki/Basic_access_authentication] on wikipedia which explain what exactly basic authentication is. Especially, have a look at section disadvantages. There is a workaround how to log out using AJAX. You execute ajax call with invalid credentials. This call invalidates prevoius session and it obviously fails. Therefore you get loged off. This should be browser neutral.

Cheers

Ask a Question