Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
I understand the SAP logon ticket is BASE64 coded and is stored as a non-persistent cookie in the client’s browser. Is it possible for anyone to hijack a user's SAP logon ticket and impersonate that user and to get SSO access to the backend applications? Thanks.
Yes, if you have the cookie and transfer it to another client, you will be able to use it for your purpose. Pay special attention to Screensaver policy and protection of the client PC to avoid misuse.
base64 is used only for encoding. It does not matter what encoding you use from security point of view. The cookie is digitally signed by issuer. It's still only cookie so all attacks for highjacking HTTP session are usable. Hence basic protection like using HTTPS is a good way to go.
