Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookies, we recommend that you activate secure session management. We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.
Session Security Protection on the AS ABAP
The following section is relevant for Project Workspace and Project Cost and Revenue Planning in SAP NetWeaver Business Client:
To prevent access in JavaScript or plug-ins to the SAP logon ticket and security session cookies (SAP_SESSIONID_<sid>_<client>), activate secure session management. With an existing security session, users can then start applications that require a user logon without logging on again. When a security session is ended, the system also ends all applications that are linked to this security session.
Use the transaction SICF_SESSIONS to specify the following parameter values shown in the table below in your AS ABAP system:
|
Profile Parameter |
Recommended Value |
Comment |
|---|---|---|
|
icf/set_HTTPonly_flag_on_cookies |
0 |
Client-dependent |
|
login/ticket_only_by_https |
1 |
Not client-dependent |