cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Clear MYSAPSSO2 Cookie through JavaScript

Former Member

on ‎05-30-2012 4:04 AM

0 Kudos

Hi Expert,

I am facing a problem with MYSAPSSO2 cookie. We are in fact using PhoneGap Web Container and retrieved MYSAPSSO2 cookie after authentication. The problem is after the user logged out, MYSAPSSO2 cookie remains and it skipped authentication process. Is there any way we can delete/remove/clear MYSAPSSO2 cookie through Javascript?

Thanks in advance!

Best Regards,

Yi Ying

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎12-03-2013 3:49 PM
0 Kudos

Hi,

We have similar requirement.

How did you achieve it?

Regards,

Apurva

Show replies
Show replies
Former Member
‎05-30-2012 11:39 AM
0 Kudos

Hi,

Normally the MYSAPSSO2 cookie is issued with the flag HTTPONLY, meaning that it is not accessible through javascript.

Your best approach would be to redirect the end-user to the logout function of the SAP system that issued the MYSAPSSO2 cookie in the first place.

Another option would be to overwrite the cookie with a new expired one.

(Not sure how this will work with a httponly cookie though.)

From http://www.w3schools.com/js/js_cookies.asp

function setCookie(c_name,value,exdays)
{
var exdate=new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value=escape(value) + ((exdays==null) ? "" : "; expires="+exdate.toUTCString());
document.cookie=c_name + "=" + c_value;
}

You need to make the following changes

1. you must change how exdate is set. It should be a date before the current date

2. Perform domain relaxing so that the cookie is issued in the same domain as the original MYSAPSSO2 (this may be impossible with phonegap as it is running on the local file system, not the same domain as the SAP system)

Regards

Dagfinn

Show replies
Show replies
Former Member
‎05-31-2012 4:47 AM
0 Kudos

Hi Dagfinn,

Thank you for the reply. I have read through a helpful article yesterday: http://help.sap.com/saphelp_nw04s/helpdata/en/fc/04a5421935c511e10000000a1550b0/content.htm

It's similar to your given codes, it provides with an example as of how to delete SSO2 cookie through Javascript.

However, it still doesn't clear off the MYSAPSSO2 cookie for my case. I noticed that even though I am able to track the cookie in Fiddler while tracking the HTTP traffic; but when I placed "javascript: alert(document.cookie)" in the web browser to print the cookie, the same page it shows no cookie as output.

So, I am a bit confused of why the cookie can be tracked through Fiddler but it doesn't turn up in the browser.

I do agree with your suggestions to redirect the logout function for the SAP system. However, the application that we are developing is not of a portal, we are using NetWeaver Gateway services and not quite sure as of how to get the SAP logout function. Any idea how this can be achieved?

Many thanks!

Best Regards,

Yi Ying

Former Member
‎05-31-2012 9:30 AM
0 Kudos

Hi,

Fiddler will lock at the raw HTTP request and therefore will see the cookie.

The HTTPOnly flag signals to the browser that it should not make the cookie accessible through the javascript sandbox. The cookie still exist, but it is not accessible through javascript.

"The HttpOnly cookie is supported by most modern browsers.[13][14] On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS).[15] This feature applies only to session-management cookies, and not other browser cookies."

ref http://en.wikipedia.org/wiki/HTTP_cookie

Had a look at the documentation for SAP NW Gateway, but could not find any mention of a log out process http://help.sap.com/saphelp_gateway20sp04/helpdata/en/55/3961c7310d48e1864e6be1605797ea/frameset.htm

Suggest you create a new thread in the SAP NW Gateway forum for how to logout a session. There might be other alternatives available besides deleting it with javascript.

Former Member
‎05-31-2012 10:25 AM
0 Kudos

Hi Dagfinn,

Once, thank you for the respond. You have provided me with the right direction to move forward and finally get a workaround to solve this.

The project is actually a mobile application which requests services from NetWeaver Gateway. And, we are using SSO2 (Single Sign On) which involves MYSAPSSO2 token for authentication. The problem that we faced is that even the user is logged out from the mobile application, the MYSAPSSO2 token cookie is still there and therefore skipped the re-aunthentication (which it should be there).

In case someone else is looking for something like this as well, our solution is: Creating a BSP application to clear the MYSAPSSO2 cookie. It holds logout.htm which will be called by the mobile application after the user logged out. The logic in logout.htm was written as below:

==================================================================

<%
DATA: obj_login TYPE REF TO CL_BSP_LOGIN_APPLICATION,
      LV_LOGOFF_URL TYPE string.

CREATE OBJECT obj_login.
BREAK-POINT.
CALL FUNCTION 'HTTP_DELETE_SSO2_COOKIE'
      EXPORTING
        server = runtime->server.
BREAK-POINT.
%>

=================================================================

Cheers!

Best Regards,

Yi Ying

hofmann
Active Contributor
‎05-31-2012 12:40 PM
0 Kudos

Hi,

as MYSAPSSO2 is HTTP only, you can only set/change/delete it from the server side. That's why your workaround works. But as you get the MYSAPSSO2 cookie from a NW Java system where log on, why don't you use that system for log on and log off? After all, MYSAPSSO2 is just one part of the authentication. You still will have the JSESSION (and saplb) cookie. You should log off from the system that gave you the MYSAPSSO2 cookie, if not your session will stay open.

Tobias

nol_hendrikx
Active Contributor
‎07-04-2012 3:21 PM
0 Kudos

Hi Tobias,

When a user logs off via the logoff link (LSAPI_sessionPlugin.logoff() , Portal 7.3) the cookie and sessions will be destroyed.

When the user closes the tab / window with X the dsm terminator runs but the MYSAPSSO2 cookie will remain.

I checked the onunload function, but that's quite scary with page refreshes (also unloads).

Is there any chance we can close the session as well when the user presses X.

cheers,

Noel

hofmann
Active Contributor
‎07-04-2012 5:02 PM
0 Kudos

When DSM does what you need, you can customize the DSM application and add the code for the logoff link.

nol_hendrikx
Active Contributor
‎07-05-2012 10:00 AM
0 Kudos

DSM terminates the backend sessions only, I need to close / logoff the portal as well.

I just found OSS note 1598793, but for our portal we need to upgrade .

soldner
Participant
‎05-10-2013 12:27 PM
0 Kudos

Hi Yi,

Does your solution "kill" the browser pages? 

You created another BSP application called logout.htm with

<%
DATA: obj_login TYPE REF TO CL_BSP_LOGIN_APPLICATION,
      LV_LOGOFF_URL TYPE string.

CREATE OBJECT obj_login.
BREAK-POINT.
CALL FUNCTION 'HTTP_DELETE_SSO2_COOKIE'
      EXPORTING
        server = runtime->server.
BREAK-POINT.
%>

Thanks for the posts!

soldner
Participant
‎05-10-2013 1:01 PM
0 Kudos

This just worked for me. I have a BSP using jquerymobile and added this to the page header

<a href="/sap/bc/bsp/sap/system/logoff.htm" data-icon="home">Kill</a>

I am going to change the data-icon, though.

This does kill the page, and the user must login to view it again. Simple enough for me...


Ask a Question