topic Security considerations for dashboards access over internet in QlikView https://community.qlik.com/t5/QlikView/Security-considerations-for-dashboards-access-over-internet/m-p/382960#M1274630 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>We are currently using the following set-up on our QV environment to provide access to end users over internet. These are the internal users who would be accessing the dashboards using iPad or other internet devises.</P><P></P><P>1. We have a SSO solution which handles the secuirty and passes the login credentials as a HTTP header.</P><P>2. QlikView web server (no IIS) uses header authentication to read the header values and pass the same to QVS</P><P>3. QVS uses the DMS authorization to publish dashboards to users.</P><P></P><P>This configuration is working fine for me. But I have the following queries with respect to the security levels of this solution. Can you pelase help me to understand how QlikView handles the below when the above set of configurations are used.</P><P></P><P>HTTP Trace:</P><P>Are there any options available to disable trace for QWS?</P><P>Session Fixation:</P><P><SPAN style="font-size: 10pt; font-family: Times New Roman;"></SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">The application sets a session identifier (cookie) for every new visitor prior to authentication. On successful login the session identifier </SPAN><SPAN style="font-family: arial,helvetica,sans-serif;">is not refreshed. can this cause session fixation?</SPAN></P><P></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Secure flag on Session ID:</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">How to set the secure flag for the session id? Having this only let browser to send the cookie over HTTPS. Is there a way to change this setting?</SPAN></P><P></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">HTTPonly flag on Session ID:</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Having this flag allows access to the cookie through client side script. Is there a way to configure this?</SPAN></P><P></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Regards,</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Murali</SPAN></P><P></P><P></P></BODY></HTML> Mon, 26 Jan 2026 18:19:17 GMT Anonymous 2026-01-26T18:19:17Z Security considerations for dashboards access over internet https://community.qlik.com/t5/QlikView/Security-considerations-for-dashboards-access-over-internet/m-p/382960#M1274630 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>We are currently using the following set-up on our QV environment to provide access to end users over internet. These are the internal users who would be accessing the dashboards using iPad or other internet devises.</P><P></P><P>1. We have a SSO solution which handles the secuirty and passes the login credentials as a HTTP header.</P><P>2. QlikView web server (no IIS) uses header authentication to read the header values and pass the same to QVS</P><P>3. QVS uses the DMS authorization to publish dashboards to users.</P><P></P><P>This configuration is working fine for me. But I have the following queries with respect to the security levels of this solution. Can you pelase help me to understand how QlikView handles the below when the above set of configurations are used.</P><P></P><P>HTTP Trace:</P><P>Are there any options available to disable trace for QWS?</P><P>Session Fixation:</P><P><SPAN style="font-size: 10pt; font-family: Times New Roman;"></SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">The application sets a session identifier (cookie) for every new visitor prior to authentication. On successful login the session identifier </SPAN><SPAN style="font-family: arial,helvetica,sans-serif;">is not refreshed. can this cause session fixation?</SPAN></P><P></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Secure flag on Session ID:</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">How to set the secure flag for the session id? Having this only let browser to send the cookie over HTTPS. Is there a way to change this setting?</SPAN></P><P></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">HTTPonly flag on Session ID:</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Having this flag allows access to the cookie through client side script. Is there a way to configure this?</SPAN></P><P></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Regards,</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Murali</SPAN></P><P></P><P></P></BODY></HTML> Mon, 26 Jan 2026 18:19:17 GMT https://community.qlik.com/t5/QlikView/Security-considerations-for-dashboards-access-over-internet/m-p/382960#M1274630 Anonymous 2026-01-26T18:19:17Z