PM60113: HOW TO DISABLE COOKIE ID DETECTION

APAR status

• Closed as fixed if next.

Error description

• There is a section on URL Security in the Cognos Software
  Development Kit Developer Guide as follows:??URL
  Security?Because URL commands can bypass IBM Cognos access
  controls, we recommend?that you fully discuss security issues
  with your administrator before implementing?them.?For more
  information about access permissions, see the Administration and
  Security?Guide.??Browser Cookie Support?If a user logs on before
  issuing a URL request, the browser cookie already contains?their
  IBM Cognos Access Manager passport ID. The dispatcher
  automatically?extracts this ID and appends it to the bibus ?
  biBusHeader class before forwarding?the request to the target
  service provider for processing.??Anonymous Logon Support?If a
  user attempts to log on and no authorized passport ID is
  detected in their?browser cookie, the Web gateway or dispatcher
  can enable anonymous logon for?this request. Before the service
  request is forwarded, an anonymous ID is?appended to the bibus ?
  biBusHeader class. Anonymous logon only occurs if a?bibus ? CAM
  passport is not found in the browser cookie and if IBM Cognos
  is?configured to support this option.??Multiple Logon
  Alternative?You can disable both cookie ID detection and
  anonymous logon. However, if you?do, your users must log on
  manually every time they use a URL to perform a task.?One way to
  avoid the need for multiple logons is to specify a PASS form
  variable?immediately after the last form variable in the URL.
  This appends a passport ID?onto the bibus ? biBusHeader class
  and forwards it, along with the URL request, to?the target
  service provider. This PASS variable takes precedence over any
  other?passport ID in the user's cookie list. However, we do not
  recommend this?technique for use in HTTP environments, because
  it exposes unencrypted?passwords to anyone reading the
  URL.?Tips: To ensure that system security is not compromised, we
  recommend that you?only use the PASS method if Secure Socket
  Layer (SSL) HTTPS transport is?implemented. If you must use the
  PASS method in an HTTP environment, enable it?only for users
  having the highest security clearance, and set up timeouts that
  force?these users to log off promptly. Otherwise, URL recipients
  can use their?unencrypted passport IDs to log on remotely and
  perform unauthorized tasks on?the sender's computer.???How does
  one disable cookie ID detection so as to allow logon but to
  require a user to log on manually every time they use a URL to
  perform a task when anonymous logon has also been disabled??
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All Users                                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * See error description.                                       *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Upgrade to IBM Cognos Business Intelligence 10.2 Refresh     *
  * Pack 1                                                       *
  ****************************************************************
  

Problem conclusion

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

• RA21 PSN

     UP