Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
cancel
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable

Security considerations for dashboards access over internet

Hi All,

We are currently using the following set-up on our QV environment to provide access to end users over internet. These are the internal users who would be accessing the dashboards using iPad or other internet devises.

1. We have a SSO solution which handles the secuirty and passes the login credentials as a HTTP header.

2. QlikView web server (no IIS) uses header authentication to read the header values and pass the same to QVS

3. QVS uses the DMS authorization to publish dashboards to users.

This configuration is working fine for me. But I have the following queries with respect to the security levels of this solution. Can you pelase help me to understand how QlikView handles the below when the above set of configurations are used.

HTTP Trace:

Are there any options available to disable trace for QWS?

Session Fixation:

The application sets a session identifier (cookie) for every new visitor prior to authentication. On successful login the session identifier is not refreshed. can this cause session fixation?

Secure flag on Session ID:

How to set the secure flag for the session id? Having this only let browser to send the cookie over HTTPS. Is there a way to change this setting?

HTTPonly flag on Session ID:

Having this flag allows access to the cookie through client side script. Is there a way to configure this?

Regards,

Murali

0 Replies