If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Cognos Cookies

Started by raviahuja21, 17 Jun 2014 06:55:28 AM

Previous topic - Next topic

raviahuja21

Hi Folks,

I am trying to find a way wherein I can specify the expiry time for the cognos cookies like CRN,cam_passport,cc_session,cea-ssa,etc

Right now what I see is that the expiry date of these cookies in the browser is when the browser session closes, I actually want to specify a time for cookies to expire. How do i do this, I have tried doing this in the web server.

I am using Apache HTTP 2.2 as my web server.

Any help would be highly appreciated.

Thanks

Penny

Hi everyone

We are running Cognos 10.2.2 in a Windows 2012 environment and have single sign-on enabled.  We have been doing some security testing and have found that the only way to clear the Cognos cookies is to close the browser.  Is there any way to get around this.  I connected to Cognos using a co-workers machine (they didn't have the browser settings to enable single sign-on) and logged in with my own credentials.  Even after logging out and closing the browser window, my co-worker was able to access Cognos using my credentials.  The only way the credentials disappeared was to actually close the browser.

How can I prevent this?  I am looking for an answer but haven't found one yet.  Any advice is sincerely appreciated.

Thank-you

bdbits

It might work to use "private" browser windows. In theory those should be sandboxed and not share any cookies or session state. I've not tested that with Cognos, but in theory it should work.

The issue as I see it is that Cognos is using standard HTML session management (which is an oxymoron for a stateless protocol but I digress). Because of this, they can share things like session tickets across browser windows. But the session state gets cached by the browser, often aggressively so. Closing down all browser instances should destroy the session, but if you are using the Windows-integrated IE, it becomes more difficult because it gets embedded into other applications. I do not know if there is something Cognos code could/should do on logout that could mitigate the issue. In any case, there is probably not much you can do. You might want to log a support ticket; if enough people complained they might try to fix it. Maybe.

And for what it's worth, I've seen other products do this, too.