on 07-23-2010 4:32 PM
I access a web application in two ways.
Evereything happens as I expect when I do it the first way.
I do not understand what happens when I do it the second way, using the URL param sap-system-login-basic_auth.
I am looking for enlightenment. Here goes:
1. I use http://myserver.com/myapp.html
a) I see a login screen sent by the server where I can supply username and password
b) the application (a flash movie) loads and initializes itself with my personal data by calling some web services
c) a single sign on cookie MYSAPSSO2 gets created
d) I delete the cookie and reload the URL
e) and everything starts from a) all over: I see a login screen etc.
2. I use http://myserver.com/myapp.html?sap-system-login-basic_auth=X
a) I get a browser popup for username and password
b) the application (a flash movie) loads and initializes itself by calling some web services
c) a single sign on cookie MYSAPSSO2 gets created
d) I delete the cookie and reload the URL
e) Immediately a new MYSAPSSO2 cookie gets created and the application loads with my personal data, without re-authentication!
There is no other cookie containing username and password, there is no session id in the URL. How the heck am I logged in automatically with the correct credentials, or reconnected to an existing session, or whatever? I am completely baffled.
-- Sebastian
The explanation for the behaviour of 2 (sap-system-login-basic_auth=X) has nothing to do with sessions or cookies. Most browsers remember your basic authentication credentials and don't ask for them the second time. This is true even if you don't ask the browser to remember them (with the checkbox) - until you close your browser it will automatically pass your username password again. In fact it does this for every request until you close your browser or clear your auth cache with javascript (Bookmarklet: javascript:void(document.execCommand('ClearAuthenticationCache'));).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sebastian,
A session cookie is created when you have sap-system-login-basic_auth=X in the URL. It's the reason that you can still load the application without re-authentication. If you have IE Developer Toolbar, you can clear session cookies and try again. It will ask for credentials then.
Regards,
Min
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Min,
that is what I would have thought. But as I said, the session cookie is the single sign on cookie MYSAPSSO2, and I did delete that. The only other session cookie is sap-usercontext, which only has sap client and logon language. There is no sap-contextid or any other cookie. Thence my confusion. (I haven't checked this in developer, but simply using Firebug/Firecookie. )
-- Sebastian
oh, thanks- that is a very annoying "featue"! So Firefox keeps you logged in while it is running. Who ever thought of that.
I suppose there are two consequences:
a) production servers should never allow browser basic authentication (it is not secure anyway)
b) if they do, no browser-neutral, purely client-side logout by deleting the session-id is possible.
In Java Servlets, there is javax.servelet.httpsession.invalidate() to remove a session on the serer. Do you happen to know if there is any equivalent in ABAP?
-- Sebastian
Hi,
there is a nice [article|http://en.wikipedia.org/wiki/Basic_access_authentication] on wikipedia which explain what exactly basic authentication is. Especially, have a look at section disadvantages. There is a workaround how to log out using AJAX. You execute ajax call with invalid credentials. This call invalidates prevoius session and it obviously fails. Therefore you get loged off. This should be browser neutral.
Cheers
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.