Page tree
Skip to end of metadata
Go to start of metadata

Purpose

Outine how the browser decides with which requests to send the MYSAPSSO2 cookie and some important aspects of browser cookie handling behaviour

Overview

As described in The MYSAPSSO2 cookie - Introduction and creation details when a user logs on to a Logon Ticket issuing system, the system creates a Logon Ticket for the user and sends it to the browser in the MYSAPSSO2 cookie. This MYSAPSSO2 cookie has a domain attribute value that the browser uses to decide with which requests to send the MYSAPSSO2 cookie and this ultimately decides to which systems SSO can take place. This document describes some important accepts of how the browser handles the MYSAPSSO2 cookie

MYSAPSSO2 cookie handling by browsers

For the sake of simplicity, coverage of the nuances of how browsers interpret the domain attribute value in the set-cookie command is omitted here, and for the purposes of this document it is sufficient to assume that when the set-cookie command contains a domain attribute, the browser treats this as the cookie’s effective domain and will send the cookie with all requests that are a domain match. Here we can take this to mean that the browser will send the cookie with all requests to servers in the same domain or a sub-domain of the domain specified as the cookie’s domain attribute value. For a more information refer to RFC 2965

Domain matching

As stated in The MYSAPSSO2 cookie - Introduction and creation details, the browser uses the value of the cookie’s domain attribute to determine with which requests it should send cookie and therefore which systems should receive the logon ticket. Only if the browser considers the cookie’s domain to be a ‘domain match’ to the domain in the request URL will it send the cookie with the request. An important aspect of cookie handling to consider is that a browser will not send a cookie with requests to domains that are parent domains of the domain specified as the value of the cookies domain attribute. For example a cookie with domain attribute value .support.mycompany.com would not be sent with a request to server myserver.mycompany.com but it would be sent with a request to myserver.support.mycompany.com and to a server in a sub-domain such as myserver.servers.support.mycompany.com. In essence, the cookie's entire domain attribute value must be contained in the request URL in order for the browser to send the cookie with the request.

Path attribute

Since the path attribute of the MYSAPSSO2 cookie always has value ‘/’ it is sent with requests for all resources on a particular server, once the domain in the URL is considered to be a domain match for the cookie. As a result one does not have to consider the path attribute when planning a SSO scenario using logon tickets, and can focus on the FQDN of the machines in the scenario and the domain attribute of the MYSAPSSO2 cookie, since these determine where the browser will send the cookie and ultimately if SSO using SAP Logon Tickets over http can take place.

Multiple MYSAPSSO2 cookies

Another important consideration is that it is possible for a browser to have multiple MYSAPSSO2 cookies in its memory, each with different domain attribute values, since according to the standards multiple cookies with the same name but different "domain" and/or "path" attribute values can co-exist.Furthermore it can occur than more than one of these MYSAPSSO2 cookies could be considered by the browser to be a domain match for a particular request and as a result more than one MYSAPSSO2 cookie can be sent with the request. This can happen in a multi-system scenario where the end user authenticates on multiple systems with logon ID and password receiving a logon ticket from each system.

For example if the browser has in memory two MYSAPSSO2 cookies, one with domain .support.mycompany.com and the other with domain .mycompany.com both MYSAPSSO2 cookies will be sent with a request to server myserver.support.mycompany.com.

Since there is no ordering defined for such cookies it is not possible to determine in which order the browser will send the cookies and therefore this can have indeterminate consequences on the ticket accepting system. This is obviously a serious issue when the cookies involved are authentication tokens, and so such situations should be avoided by careful planning of the SSO landscape.

Secure attribute

It is possible to configure the ticket issuing system so that the MYSAPSSO2 cookie is set with a secure attribute. For example, on the Netweaver AS Java this is achieved via the UME parameter ume.logon.security.enforce_secure_cookie. When a cookie has the secure attribute, the browser will only send it with https requests. If you access the ticket issuing system via plain http, after successful authentication the browser will not send the MYSAPSSO2 cookie with any requests, including those back to the ticket issuing system itself and results could include being presented with a logon screen again immediately after entering a valid logon ID and password combination. In short, if the ticket issuing system has been configured to set the MYSAPSSO2 cookie’s secure attribute, users must always access the system over https to avoid any problems that could occur due to the absence of a valid logon ticket.

MYSAPSSO2 cookie handling by proxies

It is not uncommon for a proxy to modify the cookie's domain and path attribute values leading to various authentication issues such as a causing SSO to fail. For exmaple, the proxy may alter the domain attribute value to be equal to the FQDN in the request, leading to the browser sending the cookie only with requests to the ticket issuing system or by altering the path value leading to the cookie only being sent to a specific application instead of all applications on a particular system. Other erroneous behaviour includes completely filtering out the cookie from the request or response or caching the cookie some way and later assocating the cached cookie with an incorrect request causing a security issue. Such behaviour by proxies should be avoided and analysis of such issues requires analysis of the requests and responses from the client and server sides

 

Related Content

Related Documents

The MYSAPSSO2 cookie - Introduction and creation details

The MYSAPSSO2 cookie - cookie deletion details

Netscape cookie preliminary specification

RFC 2965

RFC 2109

Related SAP Notes/KBAs

SAP note 654982 URL requirements due to Internet standards

  • No labels