OpenWGA 7.9 - OpenWGA Concepts and Features

The personalisation mode is an administrative configuration setting determined for each individual OpenWGA web application (on section "Publishing settings"). It chooses a technique how OpenWGA personalisation tries to recognize individual users across multiple browser sessions and then assigns them their personal user profile.

Mode "Session based (no persistence)"

This mode does not persist user profiles and portlet registrations. Instead a temporary profile is created for each user session which is discarded at the end of the session.

This is the default mode since OpenWGA 6, because it does not create any persisted data while still allowing every application to leverage personalisation features. It however is unable to store any data for a user that survives browser sessions.

Another concern with this mode regards cluster environments. The profile is attached to the server session as a "transient property", therefor it is not transported to other cluster nodes. If a user switches the node he loses his profile. You can prevent this by enabling additional (expert) option "Serializable user profile on session". This allows the cluster nodes to serialize the profile to other nodes. Be aware however that this may greatly increase the session synchronisation traffic in your cluster as the user profile may carry large data and is modified frequently.

Mode "Automatic / cookie based"

For applications in this mode a personalisation cookie is stored to the users' browser identifying the individual user via his automatically created "personalisation id". This cookie then can be recognized by OpenWGA on all further browser sessions and used to identify the user and assign him his user profile. The cookie is set with a maximum age of 1 year. It is again set to last a complete year at the beginning of every new browser session, so that the cookie does only expire automatically if the user has not accessed the site for one year.

This is the most robust persistent mode as every user at every time has access to a profile. It however has also it's drawbacks, described in the following sections, that you should be aware of.

Security concerns

One security concern is that the user profile is not really assigned to the user himself but actually to the browser that stores the cookie (or more precisely: The browser profile of the current OS user). Anyone using the browser of the given user (under his operating system account) will have access to the user profile. Protecting the user account from malicous access should prevent this security problem.

Another concern is about the Cookies themselves: They normally are transmitted in plaintext and may easily be sniffed. Additionally they are stored in the users file system in a normally unprotected way and may be fetched from there. That way someone else may gain access to the cookie content and use it to create a cookie with the same content for his own browser, therefor gaining access to the other users profile. So without any further adaptions user profiles in this mode should not store any confidential data.

You can improve the security of this mode by enabling the optional publishing setting Secure application mode for the application in OpenWGA admin client. This can be done if your OpenWGA server is also able to serve requests via an encrypted protocol (mostly HTTPS). Applications in secure application mode will only serve requests via secure protocols. If they are requested on an unsecure protocol they redirect the browser to a secure one. Additionally the personalisation cookie is then stored as "secure cookie", which will prevent the browser from sending it over unsecure protocols and may cause it to store it in an encrypted way.

Profile flooding because of bots

Another problem with the automatic mode may arise because of bots that access your site. These normally do not accept persistent cookies, so OpenWGA regards them new users each time they visit your site and creates an additional user profile  for them. While OpenWGA prevents this most of the time internally (the profile is only stored if the client accepts and stores the session cookie) some bots still manage to create user profiles. This leads to the creating of many unnecessary user profiles. There are two things you can do against this:

• Prevent user profile creation for known bots: OpenWGA can prevent profile creation for bots who use an uniquely identifyable user agent. This is a unique string given by most internet clients as HTTP header to identify their type. Go into OpenWGA admin client, enable "Expert mode" by the checkbox to the top right and navigate in the menu to "Configuration" > "Advanced Configuration". There under tab "Bot Agents" you can tell OpenWGA about user agents known to be bots. Some should come preconfigured with OpenWGA but you can always add more. Bot agents are specified as regular expressions which are matched against the user agent of each request. If the user agent of any request matches a known bot agent OpenWGA will not create a persistent profile for that client but create a temporary one instead.
• Regularely cleanup your personalisation databases: Experience shows that you cannot prevent all bots from creating user profiles. If they use regular browser user agents and are able to accept session cookies they are almost indistinguishable from normal clients, at least for automated processes. The only way to get rid of those is to cleanup user profiles that haven't been used for a time, assuming that they were either created by a bot or by a real user who will not mind if you clear his settings after a time that he has not accessed your site.

Mode "Login"

In login mode OpenWGA uses the login by which a browser user authenticates to the OpenWGA domain as identification. It is more secure than the "automatic" mode as it is bound to the OpenWGA authentication mechanism and the data neccessary to access the cookie - mostly a user/password combination - is not stored anywhere it can be stolen.

Its main drawback is the fact that anonymous users will have no user profile. The WebTML code of the application therefor will not be able to use personalisation features until the user logs in to OpenWGA.