Session Security Protection

 

To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend activating secure session management. We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

Session Security Protection on the AS ABAP

To activate session security on the AS ABAP, set the corresponding profile parameters and activate the session security for the client(s) using the transaction SICF_SESSIONS. For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTP Security Session Management on AS ABAP in the AS ABAP security documentation.

Session Security Protection on the AS Java

The SAP J2EE parameter SystemCookiesDataProtection for activating the attribute HttpOnly for system cookies must be deactivated for SAP Learning Solution.

XSRF Protection

Cross-site request forgery (XSRF or CSRF) refers to the manipulation of a Web browser with the goal of performing the actions of an authorized user in a Web application. An XSRF attack is successful when the attacker manages to send his or her own queries the Web application via the authorized user's browser. In the Web application, it looks as though these actions were performed by the authorized user.

XSFR attacks cannot be prevented by the user of the Web application; they must be defended against within the Web application. It is therefore necessary to protect the Content Player of SAP Learning Solution against XSRF attacks.

The URLs opened by the browser (for example, to perform actions for changing learning activity data such as saving learning progress in the back end, resetting learning progress, or changing the learning strategy) are protected by the use of an XSRF token. This is a string generated by the system at runtime that is sent to the Web application along with the query. This token is checked against the XSRF token of the protected URL. An http/https quesry is only processed once the valid XSRF token is found in the protected URL. If an incorrect XSRF token is found, the system generates an XSRF error page with access details. The XSRF error page provide the authorized user with the option of continuing the current processing in the Content Player.

Note that XSRF protection is not active in the Content Player in the following cases:

  • The SAP J2EE server does not have an XSRF API library

  • XSRF protection is generically deactivated in the SAP J2EE server

  • No SAP J2EE server is userd for the Content Player.

To ensure that the Content Player is protected against XSRF attacks, you must use the XSRF API library to configure the SAP J2EE server. For more information, see Important SAP Notes.