0 Replies Latest reply: Aug 31, 2012 7:48 AM by murali dhar RSS

    Security considerations for dashboards access over internet

    murali dhar

      Hi All,

       

      We are currently using the following set-up on our QV environment to provide access to end users over internet. These are the internal users who would be accessing the dashboards using iPad or other internet devises.

       

      1. We have a SSO solution which handles the secuirty and passes the login credentials as a HTTP header.

      2. QlikView web server (no IIS) uses header authentication to read the header values and pass the same to QVS

      3. QVS uses the DMS authorization to publish dashboards to users.

       

      This configuration is working fine for me. But I have the following queries with respect to the security levels of this solution. Can you pelase help me to understand how QlikView handles the below when the above set of configurations are used.

       

      HTTP Trace:

      Are there any options available to disable trace for QWS?

      Session Fixation:

      The application sets a session identifier (cookie) for every new visitor prior to authentication. On successful login the session identifier is not refreshed. can this cause session fixation?

       

      Secure flag on Session ID:

      How to set the secure flag for the session id? Having this only let browser to send the cookie over HTTPS. Is there a way to change this setting?

       

      HTTPonly flag on Session ID:

      Having this flag allows access to the cookie through client side script. Is there a way to configure this?

       

      Regards,

      Murali