topic Re: Hide server information access in QlikView

Hide server information access

julruiz123 — Mon, 26 Jan 2026 18:19:17 GMT

Hello!!

In a current customer did us a test of the security of the platform.

They found us two vulnerabilities:

- When the user access to the "access point" it's possible see critical information, like the name of the server, that can be used to possible attacks. How hide the server information access ??

- Once the user authenticates, the browser save the session, so if other user get acces to the computer he can access to the "acces point". They want that each time that the user open the browser the system ask the user name and password. Is there a way to erase the session variable ?.

Thanks for the help!!

Have a good day!!

Re: Hide server information access

Peter_Cammaert — Tue, 01 Sep 2015 10:04:04 GMT

Hmm, I'm not sure if I can answer these questions to satisfaction but I'll try my best to shed some light on the issues at hand.

Server name: to connect to a server, you have to know its name. You can remove these details from the access point, but any user only has to enable the address bar in his/her browser to see the server name. I'm not sure how you want to avoid that...

Log in: actually, authentication is done outside of QlikView, usually by AD. If a user with an enterprise PC logs in into his/her machine, the login for QlikView has already happened though QlikView has not yet been called upon.

I guess you could intercept this kind of blanket authentication by assigning/programming a custom login page to the QlikView AccessPoint and force it to timeout after a certain period of inactivity.

Peter

Re: Hide server information access

qlikviewwizard — Wed, 02 Sep 2015 02:17:23 GMT

Hi Bill,

How it will work. Could you please elaborate? Thank you.

Re: Hide server information access

Bill_Britt — Wed, 02 Sep 2015 20:18:05 GMT

HI QlikView Wizard,

I deleted my post. When I am working on the Community at times I have several windows open at the same time. I put that here by mistake.

Bill

Re: Hide server information access

qlikviewwizard — Thu, 03 Sep 2015 03:50:09 GMT

Okay (y)

Re: Hide server information access

julruiz123 — Fri, 04 Sep 2015 19:32:22 GMT

Hi Peter!!!

I enabled the alternative login page, but when i open the explorer the first time it tries to authenticate.

Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?.

What I want is that the user to authenticate twice in the computer and the access point.

Another question. I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.

Thanks in advanced!!!

Re: Hide server information access

Peter_Cammaert — Mon, 07 Sep 2015 08:54:47 GMT

Funny, that doesn't happen on my machine. I'm using IE11 and Google Chrome and both show the login page immediately. Whether I enable Integrated Windows Authentication or not. Can you clear the browser cache and try again? Windows also caches authentication information somewhere else but I'm not sure whether this has any impact on web sites.
Not with standard QlikView Server techniques. Remember that QVS also has a feature called Dynamic CAL assignment. That feature would be useless if people without a CAL aren't allowed to visit the AccessPoint, as licenses are only dynamically assigned when they click on a thumbnail and open a QlikView document.
You can however customize the code for your own QlikView login page, so that it uses the QMS API to check whether this person actually has a license before letting him/her enter the AP.

Best,

Peter

Re: Hide server information access

qlikviewwizard — Sat, 12 Sep 2015 02:45:46 GMT

Hi julruiz123

Just curious. Did you able to resolve this? Please share the solution. Thanks in advance.

Re: Hide server information access

julruiz123 — Mon, 14 Sep 2015 20:57:39 GMT

Hi!!!

Respect with the two situations:

"Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?."

R/ If i include the complete address "qlikview/FormLogin.htm" it works fine. But with this address "/qlikview/index.htm" it tries to authenticate.

"I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.

R/ I haven't resolved yet. Do you have any example how customize the login page ?