Tuesday, 4 November 2014

Siebel Open UI : Profile Attributes vs Browser Cookies

Profile Attribute Security

If you have used Siebel profile attributes, you know that these are name-value pairs used to store any information including user profile and retrieved any time during the application session. If the session is closed, the profile attributes will get nullified. This is custom functionality in HI client. 

In earlier versions like 8.1.1.3 or before, we can set profile attributes by entering code like the below line in browser address bar. 

Javascript: theApplication().setprofileAttr("ABC","ABC");

This has been disabled to fix security issues. Now that Oracle has identified security vulnerabilities in the browser scripting, in Open UI, they have disabled setting profile attributes. But for users who are OK with security constraints, the profile attribute setting from browser scripts are enable after setting server parameter EditProfileAttr = TRUE. Now, the security reasons for disabling the profile attribute setting are unknown, but if it is a consideration for you, we have another option in Open UI. 

Browser Cookies

We might have heard of this term many times, but a few really know about these. Browser cookies are name value pairs of data that a browser saves from the sites the user visit. Follow this link to know more about cookies.

Now, let us observe the similarities between Profile attributes and cookies. 

1. Scope: Both are name value pairs, profile attributes are used almost everywhere in application like browser scripts, server scripts and business services or workflows. You do not need a browser session for profile attributes to work. But, cookies need a browser session. They work only for javascripted objects like PM, PR or postload.js or preload.js and so on. 

2. Security: Cookies are vulnerable to attacks from hackers or people in same network who are trying to steal information. But, they are secure if you are using them to write non-sensitive information. If you are writing a view name in cookie, it is fine but do not consider saving phone number, credit card information etc in cookies. There are ways to create secure cookies. Profile attributes have some security issues when used in browser script.

3. Life time: Profile attributes get nullified after session is closed. Cookies on the other hand has a life time. We can set the end date of a cookie to a future date. But, each browser stores cookies in a separate location. There are ways to share cookies across browsers, but this is not in the scope of this post. If you clear your browser cookies, the cookies get deleted even when you have a session open. 

Overall, for a Siebel developer, Profile attributes is the preferable option. But web developers will look to use cookies as much as they can. Siebel is in a phase of moving to a web standard application with Open UI and cookies are going to play their role in future. It would be interesting to see how useful cookies are going to be when used in Open UI.

3 comments: