Terminate Portal User Login with JSessionID or MYSAPSSO2 Cookie

Dear All,
I know using Visual Administrator , we can terminate the session.
Is it possible for the administrator to terminate a logged in portal user with his/her  JsessionID or MYSAPSSO2 cookie value or User Id programmatically.?
Is it possible for portal admin to forcibly exit (logoutl) an active user login  without logging onto visual administrator?
Regards,
Eben Joyson

The only complete mitigation for session hijacking is to run the entire site as SSL. This is Oracle's recommendation if you need a complete mitigation solution. And example of an ATG site running in full SSL is Dennis Kirk (denniskirk.com).
The problem with doing so is that SSL (a) takes more processing power in the system running the client's browser and (2) incurs latency that degrades the perceived page performance. This is particularly true for consumers running Internet Explorer, where speed-up measures like SPDY are either incomplete or don't work. And for a hard core eComemrce site, slower page performance means that you make less money.
Most sites, including those that you mention, use a mixture of SSL and non-SSL pages to overcome this. They use non-SSL for those areas of the site where penetration does not have a material negative impact. Browsing catalog pages as an anonymous user, for example. If someone hijacks my session and I'm browsing the catalog anonymously, they're welcome to it. There's nothing private in my session. Even robots can access that content.
Once I login or go to pages where private information is being exchanged, then you have to secure the session. That's where the protocol switcher servlet comes in. As you authenticate, you switch the user to SSL.
I've tried a number of additional mitigation steps. Unfortunately I can't discuss them here at this time.
And none of the servlets that you mention have any benefit with mitigating session hijacking.

Similar Messages

  • How to get an alert when user login with "DDIC" in any of the systems?

    Hi all,
    Can it be possible when ever the user login with DDIC user  in any of the satellite system,can we we  get an alert -as DDIC login attempt in any system?
    Is this possiblem in CCMS or BPM or...?
    Regards,
    Neni

    Hi Srikrishna,
    Link which you have give is good.But when i login with DDIC i am not geting alerts and i am not able to add any satllites system to
    under Security node
    My configuration:
    Miximum values for list                               1 min
    When should an alert be triggered?
    From value                   Red               Severity      2
    Max. number of alerts for each message ID             50
    Max. number of lines to be saved                      50
    SM19
    Client     *                                                     Events
    User       DDIC selected -Dailog logon         Alll
                                           systmem
    Please help me.
    Regards,
    Swaroop

  • Portal User Login History

    I am looking for a way to create a procedure or use an api in order to return the last time a portal user logged in to their account. Any suggestions?
    null

    I cannot think of any APIs in the PDK that will do this, but it is very simple to do via custom coding etc.
    Create a table with a minimum of these base columns:
    PORTAL_USERNAME
    LAST_LOGIN_DATE
    etc.
    You could create a custom login or logout portlet which uses the WWSEC APIs and also reference a function that adds or updates a row in the above sample table. That way you can keep track of this information. If you use a custom portlet, remember to turn off your page links as appropriate so that there are no ways to escape using the custom portlet!
    It is probably best to do it on the login process and people may not log out properly, i.e., close the browser which means you do not get an accurate picture of log in times.
    You then can in your custom portlets/apps etc. do a check against this table to do simple things like 'Welcome back John' etc. etc.

  • User login with details

    hi guys,
    was need to come out a report for the user login details. which has to have the date and time of the user login to SAP, with the terminal ID access from and transaction has done. can any one tell me what table it is from? or is there existing report that i can view all this? thanks

    hi,
    you can find the transactions by a particular user from the transaction SM04.
    SM04 gives you the details of the users logged in,terminals,transactions the user is working on, the time he has logged in,no of sessions user has opened, and the memory used by the user's programs... all of that w.r.t to the client we login. but we can't get info like date and number of times the user has logged in.
    U can see tables:
    USR01 User master record (runtime data)
    USR02 Logon data
    USR03 User address data
    USR05 User Master Parameter ID
    USR12 User master authorization values
    You can also use transaction code ST03N.
    1. Go to tx code - ST03N
    2. Under "Workload" you can select your "Instance or Total" so that it expands and shows you Days, Week, Month.
    3. If you want to look at the transactions executed for a particular day, lets say, then double click on any day.
    4. At the bottom left you get "Analysis Views"
    5. Select & expand "User and Settlement Statistics"
    6. Double click on "User Profile"
    7. On the right side of the window you get a list of all the users
    8. Double click on a particular user you want to view the details of.
    9. The new screen will display the "Transactions/Reports Utilized by User XXX"
    If you want to track which users executed a particular transacation then follow this:
    10. In "Analysis Views" expand "Transaction Profile"
    11. Double click on "Standard"
    You can view the list of Transactions and Reports.
    12. Double click on the Tx Code or Report you wanna check and it will show the Use of it.
    hope this is helpful
    regards,
    sravanthi

  • Disable multiple users login with single user id

    hi,
    I have a problem. I give a single user id to a  person and many people login to the server from different computers through that id.
    Please tell me how to block that only one user can login with a particular id at a particular time

    Hi Balaji,
    To disable multiple logins add parameter login/disable_multi_gui_login = 1 using RZ10
    Hope this help!
    Juan
    Please reward with points if helpful

  • JSP-MySQL user login with username, password and registration

    Hi everyone:
    i need to create a simple jsp client login with username and password. There is also a registration link for those not register yet.
    I m using tomcat and MySQL and have already create a client login with username and password page.(record already in database).
    I m now have no idea on how to create a registration link, ie update the database. please help..the examples i search through google were build by Jboss, strut, ApacheGeronimo which i m not familiar with.
    Is it any "package" or "wizard" available in creating the login and registration page? Most of the webpage has build with user login and registration part, may i know how they "create" them?
    Please help.. Thanks in advance!

    hi,
    You can use tomcat5.5 for this. you can get help from the following link.
    http://tomcat.apache.org/tomcat-5.5-doc/jndi-datasource-examples-howto.html
    If ur registrantion page is RegistrationPage.jsp then u can write it:
    <a href="RegistrationPage.jsp">Registration Page </a">For Registration page u have to use session & for u can search this in javaworld.com site. MAy from this u will get ur solution

  • Any method to prevent a user login with 1 account, but several machines?

    May I ask for your recommendations to prevent a user to login my application with his/her account through different computers?
    Background information:
    1. My application is developed with BC4J framework.
    2. Login details: Once a user's is validated with their user id and password stored in a backend database table, he/she would be granted the right to use my application with a common connection account, as stated with the configuration details specified.
    Here is my solution:
    - When a user login my application, I'll lookup if there is any existing user record in a database table, let say, TBL_CURR_USERS. If no user record is found, the user will be granted the right of launching my applications and have a user record written down in the table TBL_CURR_USERS. If a user record is found, the user will receive an error message - "Your specified account is in use. You are not allowed to enter until your specified account has been logged off."
    - Problem: My problem is - how to trigger the event for removing the record in the table TBL_CURR_USER when user logs out implicity or internet connection interrupts. Let say, when the user close the browser by clicking the 'X' icon, I have nothing to trigger my deletion for the user record in the TBL_CURR_USERS table. If so, in the long term, many users will not be able to use my application until housekeeping is done for the table TBL_CURR_USERS ... what should I do? Any Java solutions or JDeveloper solutions available?
    Thanks for your replying!

    I had the same problem and I resolved in a different way. In the application server I have a Set in the context and I add a user when the login is successful and I remove it (I store the user even in the session) when the session expires (I have a session listener) or when the user explicitly logouts.
    I don't need table and I don't need to do anything if the application server crashes.
    If you don't use connection pooling you could use a logon trigger on the database.
    I hope it helps,
    Giovanni

  • Same portal user logins when open in new tab/window

    hi all,
    i've any issue, how can i use the portal with different logins (ie) in different tabs or windows. currently i've to logoff everytime to login as a new user, is something to do with ie settings?
    tnx,
    JB

    Hi,
    Yes you cannot login into the portal with two different users in the same browser if you want to use another user you have to use another browser for example:say user1 has logged into the portal using IE in which you cannot login into the portal with another user say user2.
    Hope it helps.......
    Thanks,
    Rahul.

  • User login with domain suffix possible?

    Hello everyone,
    I've implemented a Portal EP 7.0 SP18. The user management is mapped to 2 different LDAP-Domains.
    Everything works fine. Unfortunately there are several users with duplicate user over the 2 domains and they can't logon (as already described in the documentation).
    Now my question: is there a way to build the logon by LDAP with a user suffix e.g. @domain1 ?
    Best regards, Bernd Hülsebusch

    Dear Anja,
    I've red the help file and changed the system connector to
    Logon Method = UIDPW and
    User Mapping Type = admin
    So only the admin can set the user mapping in the UME UI. This works!
    Addionally I've set the UME property ume.usermapping.admin.pwdprotection to false, because normally the admin does not know the password of a user. I've restarted the server, but unfortunately it has no effect:
    Ii the user mapping of the UME the admin must still enter a password. What might be the reason?
    Best regards, Bernd Hülsebusch

  • Portal Users Login Time during a particular interval

    Hello,
    I have gone through many forums and blogs but didn't find any helpful comments on how do I get the list of users and their respective login times during a particular time interval. All my users are stored inside the portal only, I am not using a dual stack system. Please tell me if there is some way to find out the solution to this problem.
    Thanks  & Regards
    Ashish Patel

    Dear Ashish
    Have you checked the Portal DB Tables ?
    For example this table WCR_USERSTAT  might be of use to you (but there are others).
    But you might not find the information for "a particular interval". I believe you will have to do some development for that.
    Kind Regards
    /Ricardo Quintas

  • User Login with jquery mobile

    I have this code that works perfectly but when i embed with Jquery mobile it fails to work. its a user authenication code
    <%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
    <!--#include file="../Connections/VT.asp" -->
    <%
        ' *** Validate request to log in to this site.
        MM_LoginAction = Request.ServerVariables("URL")
        If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
        MM_valUsername = CStr(Request.Form("username"))
        If MM_valUsername <> "" Then
            Dim MM_fldUserAuthorization
            Dim MM_redirectLoginSuccess
            Dim MM_redirectLoginFailed
            Dim MM_loginSQL
            Dim MM_rsUser
            Dim MM_rsUser_cmd
            MM_fldUserAuthorization = ""
            MM_redirectLoginSuccess = "source.asp"
            MM_redirectLoginFailed = "error.asp"
            MM_loginSQL = "SELECT Username, Password"
            If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
            MM_loginSQL = MM_loginSQL & " FROM dbo.Test_Register_Users WHERE Username = ? AND Password = ?"
            Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
            MM_rsUser_cmd.ActiveConnection = MM_VT_STRING
            MM_rsUser_cmd.CommandText = MM_loginSQL
            MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 70, MM_valUsername) ' adVarChar
            MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 50, Request.Form("password")) ' adVarChar
            MM_rsUser_cmd.Prepared = true
            Set MM_rsUser = MM_rsUser_cmd.Execute
            If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
                ' username and password match - this is a valid user
                Session("MM_Username") = MM_valUsername
                If (MM_fldUserAuthorization <> "") Then
                    Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
                Else
                    Session("MM_UserAuthorization") = ""
                End If
                if CStr(Request.QueryString("accessdenied")) <> "" And true Then
                    MM_redirectLoginSuccess = Request.QueryString("accessdenied")
                End If
                MM_rsUser.Close
                Response.Redirect(MM_redirectLoginSuccess)
            End If
            MM_rsUser.Close
            Response.Redirect(MM_redirectLoginFailed)
        End If
    %>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Untitled Document</title>
    <link href="http://code.jquery.com/mobile/1.0/jquery.mobile-1.0.min.css" rel="stylesheet" type="text/css" />
    <script src="http://code.jquery.com/jquery-1.6.4.min.js" type="text/javascript"></script>
    <script src="http://code.jquery.com/mobile/1.0/jquery.mobile-1.0.min.js" type="text/javascript"></script>
    </head>
    <body>
    <div data-role="page" id="page">
      <div data-role="header">
        <h1>Header</h1>
      </div>
      <div data-role="content">
        <form id="form1" name="form1" method="POST" action="login_code.asp">
          <table width="325" border="0" cellpadding="3" cellspacing="3">
            <tr>
              <td width="94"> </td>
              <td width="210"> </td>
            </tr>
            <tr>
              <td>Username</td>
              <td><input type="text" name="username" id="username" /></td>
            </tr>
            <tr>
              <td>Password</td>
              <td><input type="text" name="password" id="password" /></td>
            </tr>
            <tr>
              <td colspan="2"><div align="center">
                <input type="submit" name="button" id="button" value="Submit" />
              </div></td>
            </tr>
          </table>
        </form>
      </div>
      <div data-role="footer">
        <h4>Footer</h4>
      </div>
    </div>
    </body>
    </html>

    "Fails to work" in what way?

  • Attachment is not visible if user logins with chinees langauge

    Hello Experts
    I have developed one custom workflow, attachment is working. But when the user switsches to the language Chineese;user is not able to see the attachments in notification.
    How to resolve this issue with multiligual with attachments;
    Thanks
    Rajesh.

    Dear Poster,
    As no response has been provided to the thread in some time I must assume the issue is resolved, if the question is still valid please create a new thread rephrasing the query and providing as much data as possible to promote response from the community.
    Best Regards,
    SDN SRM Moderation Team

  • Override standard user login with the admin login

    I remember that on Snow Leopard when a standard user log in and screen lock, an admin user could unlock that. How to do this in Lion? Cheers

    I was able to resolve this by following some instructions on the internet.    It's been a while, and I sadly can't recall which was the final solution for me but I'd start with:
    http://arstechnica.com/civis/viewtopic.php?f=19&t=1149073
    which is to:
    /etc/pam.d
    aqua:pam.d root# diff screensaver screensaver.apple
    6c6
    < account    sufficient       pam_group.so no_warn group=admin,wheel fail_safe
    > account    required       pam_group.so no_warn group=admin,wheel fail_safe
    And I believe this changed the unlock dialog box to be the old style (yep just a comment, what gives? )
    cd /etc
    sudo cp authorization authorization.bak
    sudo nano authorization
    Press Control+W and search for "unlock the screensaver"
    Change the line:
    <string>The owner or any administrator can unlock the screensaver.</string>
    to:
    <string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>
    Press Control+X to save /etc/authorization and exit nano.

  • New User login with restart ?

    Hello,
    How to make a newly user created in WLS console or in the application
    log into the application without restarting the WLS or modification to
    weblogic.xml ?
    I have seen some message regarding this but did not find suitable answer ?
    Thanks
    Deepak

    Hi,
    I am using WLS6.1 SP1. I have configured WLS to use CachingRealm
    (RDBMSRealm).
    I have also configured Security-Role and security-role-assignment in Web.xml
    and Weblogic.xml
    respectively. All these configurations are working fine. Pages are
    protected, valid users are logged,
    invalid user/password throws failed login page etc..
    What I also want to get working is....
    When I create a newUser through the console or application, that user is
    successfully added to underlying
    DB table and it is refreshed, it is also visible in the console. It is also
    associated to one of the groups
    which is also configured as a Security-Role. (Only in DB. A usergroup in the
    DB table is mapped to a security-role
    one-to-one.)
    The problem is ?
    Now when I try to login using this new userid, I won't be able logon.
    I know that, at this point the new user is not yet assigned to the any
    Security-Role in WebLogic.XML.
    But when I manually change to Weblogic.xml to make this association and
    restart the
    server, then it WORKS !!! Well it should and it does.
    1. How to make this without restarting the server ?
    2. Every time when I create a new user should I change weblogic.xml to
    associate this user to
    one of the security roles ?
    3. How to programmatically implement this, Is this possible.
    4. Does Caching - user and/or group parameters affect this issue ?
    Sorry for the incorrect question in my earlier thread.
    Thanks
    Deepak
    "Utpal" <[email protected]> wrote in message
    news:[email protected]..
    Could you please post your questions again ? I didn't get what you want to
    do !!
    -Utpal

  • List of Portal users with the assigned Roles.....

    Hello All,
    I am working on EP6 SP9 and want to know from where can I get a list of all Portal users along with the assigned roles for each of them.
    One way I found is by searching for all users in User Administration role and along with the searched users, there is also an icon for Assigned roles.
    Apart from the above mentioned way, is there any other way by which I can get a direct list of the same. Is there a Java sample code for this.....?
    Please help.
    Awaiting Reply.
    Thanks and Warm Regards,
    Ritu R Hunjan

    Hi Ritu,
    Yes it is possible to get the roles of the users. You can try the following java code.
    package com.hcl.user;
    import java.util.Iterator;
    import java.util.Vector;
    import com.sap.security.api.IRole;
    import com.sap.security.api.IRoleFactory;
    import com.sap.security.api.IRoleSearchFilter;
    import com.sap.security.api.ISearchResult;
    import com.sap.security.api.IUser;
    import com.sap.security.api.IUserAccount;
    import com.sap.security.api.IUserFactory;
    import com.sap.security.api.UMFactory;
    import com.sapportals.portal.prt.component.AbstractPortalComponent;
    import com.sapportals.portal.prt.component.IPortalComponentRequest;
    import com.sapportals.portal.prt.component.IPortalComponentResponse;
    public class role_member extends AbstractPortalComponent {
    public void doContent(
    IPortalComponentRequest request,
    IPortalComponentResponse response) {
    try {
    IUserFactory userfactory = UMFactory.getUserFactory();
    IRoleFactory rolefactory = UMFactory.getRoleFactory();
    IRoleSearchFilter rolefltr = rolefactory.getRoleSearchFilter();
    rolefltr.setMaxSearchResultSize(2000);
    ISearchResult result = rolefactory.searchRoles(rolefltr);
    while (result.hasNext()) {
    response.write("<table border=0>n");
    String uniqueid = (String) result.next();
    IRole role = rolefactory.getRole(uniqueid);
    response.write("<tr><td bgcolor=Red>"+ role.getDisplayName()+ "</tr></td>n");
    Iterator users = role.getUserMembers(true);
    while (users.hasNext()) {
    String unique_user = (String) users.next();
    IUser user = userfactory.getUser(unique_user);
    IUserAccount account[] = user.getUserAccounts();
    response.write(
    "<tr><td>" + account[0].getLogonUid() + "</tr></td>n");
    response.write("</table>n");
    response.write("</br>n");
    } catch (Exception e) {
    This code gives you the list of all the users of your portal along with the roles assigned to them.
    Apart from this if you want you want to know all the roles assigned to the user on portal itself then the way you mentioned is the correct method.
    Regards
    Pravesh
    PS: Please consider awarding points.

Maybe you are looking for