Skip to Content
author's profile photo Former Member
Former Member

Logon Ticket MYSAPSSO2 Validation and session hijacking

My understanding is the accepting SAP Java AS will retrieve cookie information from MYSAPSSO2 and using the certificate from issuing system to authenticate the session.

My question is, is JSESSIONID and other HTTP information used together with MYSAPSSO2 information for session authentication?

What we've observed is, if we delete JSESSIONID from the client cookie, the session is invalid right away, although we don't touch any MYSAPOSS2 information. -> But we're not sure whether this is a behavior of SAP NW Java AS or the IBM Tivoli SSO server which authenticates the access at the first place.

Also, if MYSAPSSO2 is the only information used for authentication, can the session be hijacked if this information is captured by other session?

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on May 15, 2015 at 11:22 AM

    Hello Gang,

    I think the MYSAPSSO2 is used to identify the user and the JSESSIONID is used to decrypt the encrypted communication and hence used to identify the session.

    if someone gets their hands on MYSAPSSO2 yes they might be able to impersonate, I have read this on some forum posts, but its an interesting question and I would like to know more about this, so I'll watch this thread.



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.