Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to expires SAP cookies upon logoff

Former Member
0 Kudos

For portal authentication, I utilize a 3rd-party system. Upon portal logoff, I feel that I need to expire any and all SAP cookies. The SAP cookies seem to persist even after Logoff, and there presence breaks my integration to the 3rd party system.

It appears that the following 5 SAP cookies need to be expired:

MYSAPSSO2

JSESSIONID

PD-ECC

PortalAlias

saplb_*

Has anyone developed code to expire SAP cookies sufficiently?

Thanks,

Kevin

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Kevin,

what do you mean by expire ?

You can destroy the cookies using the logoff page on the portal, which will also expire the session on the portal. The logoff page is called using:

<i>http://host.domain/useradmin/irj/portal/index.html?logout_submit=true</i>

After calling the logoff page, you can redirect back to your server using the UME properties, see <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm">Help on Portal logoff</a> for details.

For a plain J2EE engine you can use the UME for the logoff like below:

http://you.server.domain/logon/logonServlet?logoff=&redirectURL=/your-application

Kind regards,

Patrick.

5 REPLIES 5

Former Member
0 Kudos

Hi Kevin,

what do you mean by expire ?

You can destroy the cookies using the logoff page on the portal, which will also expire the session on the portal. The logoff page is called using:

<i>http://host.domain/useradmin/irj/portal/index.html?logout_submit=true</i>

After calling the logoff page, you can redirect back to your server using the UME properties, see <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm">Help on Portal logoff</a> for details.

For a plain J2EE engine you can use the UME for the logoff like below:

http://you.server.domain/logon/logonServlet?logoff=&redirectURL=/your-application

Kind regards,

Patrick.

0 Kudos

Hi Patrick

Thank you for your reponse.

I do specify the logoff URL for the 3rd-party authentication in the ume.logoff.redirect.url. And it all works fine in that the portal and authentication cookies seem to be expired and the sessions destroyed upon logoff.

Here is the problem: After doing this logoff, when staying in the same browser, if I retype the portal URL, my custom loginModule is not invoked and the 3rd-party auth is not displayed. Instead, it seems that the portal tries to login again using the half-baked SAP cookies (or something) and the native portal login page is display. And once there, the user is stuck because no credentials will work at that location.

This problem is why I thought I needed to more forcefully expire the SAP cookies.

Kevin

0 Kudos

Hi Kevin,

what is the content of this 'half baked' SSO cookie ?

SAP Logon tickets can only be valid or invalid. In the latter case, the authentication should still call your module but the setting of the SSO2 ticket would fail, as the CreateLogonTicket module will not overwrite logon tickets. If there really is a wrong ticket you can just unset the cookie within your own application and everything should be fine. As said, this is the only way to sort of 'expire' the logon ticket.

Regards,

Patrick

0 Kudos

Hi Patrick.

I'm not sure the content of the MYSAPSSO2 cookie. In this situation, if I run a javascript:alert(document.cookie), the browser reports that "MYSAPSSO2=". I don't know what is in there.

Can Java code inspect the contents fo the cookie, looking for validity?

Thanks,

Kevin

0 Kudos

Hi Kevin,

from what you wrote, the cookie is just empty, which just would be correct and is the expected behaviour after logoff. In this case, the next authentication just should work fine. So I'd guess, this is not the problem.

You can display cookies with the following bookmarklet (just copy it into a bookmark):

javascript:if(document.cookie.length<1){alert('This%20Site%20provided%20no%20Cookie.')}else{alert('Cookies%20of%20this%20Site:\n\n'+unescape(document.cookie.replace(/;%20/g,'\n')))}

This will however not work with systems configured to protect the MYSAPSSO2 Ticket (setting the cookie to http-only). There you will see the cookie only if you trace the traffic (like with HTTPWatch).