Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Portal COOKIE

Former Member

‎02-21-2005 7:28 AM

0 Kudos

Whenever a user logs into portal a cookie named MYSAPSSO2 is created. This encrypted cookie contains the logged in user name. This cookie is used to do Single Sign On to R/3 and other external systems. My question is

In ABAP, Has anyone tried to extract the user name from MYSAPSSO2 cookie issued by portal?

If yes kindly tell us how it was done.

The cookie can be decrypted by using the portal system certificated installed in R/3.

Thanks and Regards,

Prasanna Krishnamurthy

6 REPLIES 6

Former Member

‎02-21-2005 9:32 AM

0 Kudos

Hello Prasanna,

Not sure if this is what you are looking for, but you can take a look at the class <b>CL_HTTP_ENTITY</b>, which I think is gonna be helpful to you.

Regards,

Anand Mandalika.

Former Member

‎02-21-2005 2:40 PM

0 Kudos

Prasanna,

well, the user id actually is not encrypted in the mysapsso2 cookie. You could read it in plain text, if you just knew the data structure (which has not made public). But: What for do you need to explicitely inspect the mysapsso2 cookie?

I assume, you are writing some ABAP based web application (i.e. BSPs), right? Now, you like to do some SSO between EP and your application. This can be realized without custom coding by simply configuring the target system properly. Transaction STRUSTSSO2 should help you out. Also take a look at the relevant securityguides for your systems (available at service.sap.com/securityguide)

Regards,

Dominik

dhorions
Contributor

‎02-21-2005 3:42 PM

0 Kudos

I also couldn't read the client cookie mysapsso2 via the normal abap way to read a clientside cookie .


call method request->get_cookie
    exporting
      name = 'MYSAPSSO2'
    importing
      value = application->sso_id.

But you can read it just fine via this javascript function

function ReadCookie(cookieName)
{
 var theCookie=""+document.cookie;
 var ind=theCookie.indexOf(cookieName);
 if (ind==-1 || cookieName=="") return "";
 var ind1=theCookie.indexOf(';',ind);
 if (ind1==-1) ind1=theCookie.length;
 return unescape(theCookie.substring(ind+cookieName.length+1,ind1));
}

[code]

Former Member

‎02-23-2005 11:09 AM

0 Kudos

What I am trying to do is this

a. In a Java iView read the SSO Cookie

b. Pass this encrypted string to an RFC

c. The RFC should decrypt it

Why I am doing this? I want my RFC's to work only if the request is comming from a trusted portal server.

I am aware that by doing this the RFC cant be reused by any other application.

Thanks and Regards,

Prasanna Krishnamurthy

Former Member
In response to Former Member

‎02-23-2005 12:40 PM

0 Kudos

Prasanna,

this is not the way passing the sap logon ticket via RFC is supposed to work. Please check the JCo documentation, JCo supports RFC logons based on SAP logon tickets (instead of uid/pw). The target system will automatically check the ticket (+ the user !) for validity and trustworthiness. It may also be a good advise to read the portal's security guide for seeing how to configure an R/3 system to support SAP logon tickets.

Regards,

Dominik

Former Member
In response to Former Member

‎02-23-2005 1:17 PM

0 Kudos

Hi Dominik,

Thanks.

I dont want to check for the validity of user as I am using User Mapping in portals. I just want to ensure that the RFC can be executed only by a trusted portal server.

Let me go thorugh the JCO documentation again.

Thanks and Regards,

Prasanna Krishnamurthy