Logon tickets are used as authentication "tokens" and should therefore be protected from unauthorized use.
The measures we take for protection include:
- Logon tickets are only sent to Web servers or SAP Web Application Servers that are located in the same DNS domain as the Web server that issued the ticket.
- Logon tickets are stored in the Web browser's main memory and are not written to disk. A user's authentication information is therefore no longer available to services after the user closes his or her Web browser.
- Logon tickets expire after a designated period of time as specified in the profile parameter