Text only | Text with Images

COGNOiSe.com - The IBM Cognos Community

IBM Cognos 10 Platform => Cognos 10 BI => Cognos Administration => Topic started by: raviahuja21 on 17 Jun 2014 06:55:28 AM

Title: Cognos Cookies
Post by: raviahuja21 on 17 Jun 2014 06:55:28 AM
Hi Folks,

I am trying to find a way wherein I can specify the expiry time for the cognos cookies like CRN,cam_passport,cc_session,cea-ssa,etc

Right now what I see is that the expiry date of these cookies in the browser is when the browser session closes, I actually want to specify a time for cookies to expire. How do i do this, I have tried doing this in the web server.

I am using Apache HTTP 2.2 as my web server.

Any help would be highly appreciated.

Thanks
Title: Forcing Cookie to expire?
Post by: Penny on 22 Dec 2015 10:15:40 AM
Hi everyone

We are running Cognos 10.2.2 in a Windows 2012 environment and have single sign-on enabled.  We have been doing some security testing and have found that the only way to clear the Cognos cookies is to close the browser.  Is there any way to get around this.  I connected to Cognos using a co-workers machine (they didn't have the browser settings to enable single sign-on) and logged in with my own credentials.  Even after logging out and closing the browser window, my co-worker was able to access Cognos using my credentials.  The only way the credentials disappeared was to actually close the browser.

How can I prevent this?  I am looking for an answer but haven't found one yet.  Any advice is sincerely appreciated.

Thank-you
Title: Re: Cognos Cookies
Post by: bdbits on 28 Dec 2015 09:22:27 AM
It might work to use "private" browser windows. In theory those should be sandboxed and not share any cookies or session state. I've not tested that with Cognos, but in theory it should work.

The issue as I see it is that Cognos is using standard HTML session management (which is an oxymoron for a stateless protocol but I digress). Because of this, they can share things like session tickets across browser windows. But the session state gets cached by the browser, often aggressively so. Closing down all browser instances should destroy the session, but if you are using the Windows-integrated IE, it becomes more difficult because it gets embedded into other applications. I do not know if there is something Cognos code could/should do on logout that could mitigate the issue. In any case, there is probably not much you can do. You might want to log a support ticket; if enough people complained they might try to fix it. Maybe.

And for what it's worth, I've seen other products do this, too.
Text only | Text with Images