Protecting User Information (SAP Library - SAP Web Application Server Security)

Protecting User Information

Logon tickets are used as authentication "tokens" and should therefore be protected from unauthorized use.

The measures we take for protection include:

Logon tickets are only sent to Web servers or SAP Web Application Servers that are located in the same DNS domain as the Web server that issued the ticket.

Logon tickets are stored in the Web browser's main memory and are not written to disk. A user's authentication information is therefore no longer available to services after the user closes his or her Web browser.

Logon tickets expire after a designated period of time as specified in the profile parameter login/ticket_expiration_time (default = 60 hours).

We encrypt the contents of the logon ticket to prevent it from being read by unauthorized persons. A cryptographic checksum also makes sure that any changes made to the ticket are detected.

The measures you should use include:

Use HTTPS to protect the communication paths.
Define a specific DNS domain where the ticket is to be used.
Your end users should protect access to their open Web browsers. In particular, they should activate password-protected screen savers.