Start of Content Area

Background documentation Protecting Sessions Security  Locate the document in its SAP Library structure

J2EE Engine applications can use system cookies to track user data (such as sessions tracking, logon data, etc). These cookies contain sensitive information about the user, therefore to prevent potential misuse of session information the cookies should not be exposed to client side scripts. To increase the security protection of system cookies, you can enable the use of the additional system cookie attribute HttpOnly.  

System Cookies

The J2EE Engine system cookies affected by this configuration include:

     cookies named JSESSIONID (in accordance with the JavaÔ Servlet 2.3 specification) for tracking Web browser sessions.

     cookies named saplb_ <string>, with string representing a logon group. These cookies are issued by the Web container for session tracking.

For more information about system cookies, see J2EE Engine Cookies.

When you enable the use of the HttpOnly attribute for these system cookies, some Web browsers (valid only for IE version 6.0 SP1) return empty responses to JavaScript requests for access to the system cookies.

Caution

This feature currently has effect only for Web browsers Internet Explorer version 6.0 SP1 and later. For more information about the HttpOnly feature in Internet Explorer 6.0 SP1, see the relevant documents available at msdn.microsoft.com. For information about support of this feature in other Web browsers, consult the documentation provided by your Web browser provider.

You use the HTTP service property SystemsCookiesDataProtection to enable the use of the HttpOnly attribute for system cookies, by configuring the property value to true.

Recommendation                                                                                      

For backward compatibility, by default the HttpOnly attribute is not enabled for use in system cookies. We recommend that you manually enable it after verifying that your applications do not rely on reading system cookies on the client side .

For more information about configuring HTTP service properties, see HTTP Provider Service.

Logon Tickets

Logon tickets are cookies that are used for user authentication and Single Sign-On on the J2EE Engine. To set this attribute for logon tickets, set the User Management Engine (UME) property ume.logon.httponlycookie to the value TRUE.

For more information, see SAP Logon Ticket and Editing UME Properties.

 

 

 

End of Content Area