Cognos Analytics

Cognos Analytics

Connect, learn, and share with thousands of IBM Cognos Analytics users! 

 View Only
  • 1.  During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.

    Posted 22 days ago

    Has anyone been hit with this during your scans. We were told with SSO there is no work around and we submitted an enhancement request years ago. We tried this with MFA using IdP and still does not take you back to the login screen. Cognos doesnt prompt for a new login.  Any recommendations or explanations you may have used to pass your internal audits ? 

    CWE-613: Insufficient Session Expiration

    The application did not invalidate the user session after 15 
    minutes of inactivity. Keeping the session valid for a longer
    period of time increases the chances of it being stolen, hijacked,
    or replayed. It can also lead to the unauthorized disclosure of
    sensitive information displayed within the browser window.



    ------------------------------
    James Hicks
    ------------------------------


  • 2.  RE: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.

    Posted 22 days ago

    Hi James,

    In IBM Cognos Configuration, you need to change from Explorer pane, in Security / Authentication:

    to

    900 (instead of 3600). Save and restart Cognos Analytics.

    If you are a supported customer, I guess you need to contact IBM Support.

    Best regards,



    ------------------------------
    Patrick Neveu
    BSL Consulting
    IBM Champion
    ------------------------------



  • 3.  RE: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.

    Posted 22 days ago

    Thanks . We did that but our compliance folks are requiring that that login screen shows up after timeout  and requires the user to re-do their credentials. Currently it does  timeout , but Cognos is passing the credentials behind the scenes and reverting back to the screen they were currently on.  

     

    Jim Hicks

    Product Manager

    Community Core

    C: (321)230-3627

    E: jim.hicks@fisglobal.com

    FIS | Advancing the way the world pays, banks and invests™ 

     

    The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.





  • 4.  RE: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.

    Posted 21 days ago

    Hi,

    Assuming I understand the situation correctly, the Cognos session is likely timing out. However, the SSO session is still active.
    Hence, if you logout and return the Cognos, the CA session is restored based on the still active SSO session.

    If you are concerned that the active CA session did not end, check the applicable Cognos session auth cookies. You will notice they have changed since logout even though the login screen does not appear.

    There is a way to overcome this by configuring an SSO logout url. Once this url is configured, after logout CA will redirect to this URL of your choice. See: https://www.ibm.com/support/pages/how-redirect-users-after-sign-out-cognos-analytics
    At this target URL, if desirable you can then also perhaps end the active SSO session albeit this is likely not a desirable default since the user will need to re-authenticate the SSO session again not only for Cognos but for other apps also but that might be desirable in your case.

    Hope this helps.




    ------------------------------
    Shawn Crook
    ------------------------------



  • 5.  RE: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.

    Posted 20 days ago

    That is byDesign. Your only option is to configure the logout redirect to an html page of your choice.
    On that landing page you could either make a call. to logout of the SSO session or give the user an option to return to Cognos.

    As you can appreciate, since the SSO session is valid... Cognos does not re-challenge the SSO user because their SSO credentials are valid.  if they visited a different site protected by the same SSO security.... you would likely find they are not challenged on that site also.

    I'd be curious to understand how you would want this to behave if the SSO session is still valid as this concern has been raised by Cognos customers in the past.  I believe there is also a pre-login url you can configure but I'm not sure if that will fire if the SSO session is valid. But if it does... you could expose a pre-login HTML page that asks the user if they want to continue to Cognos at which point the CA Session cookie would be automagically renewed via the active SSO session.

    IMO, if customers want a feature in which active SSO sessions should still challenge for the SSO credentials... I would think that should be an SSO authentication provider setting. Perhaps that's an option to research in that case also.

    Good luck!



    ------------------------------
    Shawn Crook
    ------------------------------