Logon tickets are used as authentication "tokens" and should therefore be protected from unauthorized use.
The measures we take for protection include:
· Logon tickets are only sent to Web servers or SAP Web Application Servers that are located in the same DNS domain as the Web server that issued the ticket.
· Logon tickets are stored in the Web browser's main memory and are not written to disk. A user's authentication information is therefore no longer available to services after the user closes his or her Web browser.
· Logon tickets expire after a designated period of time as specified in the profile parameter login/ticket_expiration_time (default = 60 hours).
The measures you should use include:
· Use HTTPS to protect the communication paths.
· Define a specific DNS domain where the ticket is to be used.
· Your end users should protect access to their open Web browsers. In particular, they should activate password-protected screen savers.