Show TOC

Activating HTTP Security Session Management on AS ABAPLocate this document in the navigation structure


You can use optional HTTP security sessions and activate or deactivate these for each client of AS ABAP. With an existing security session, users can then start applications that require a user logon without logging on again. When a security session is ended, the system also ends all applications that are linked to this security session.

A security session starts with the logon to the system and ends with the logoff from the system. Logoff can be triggered in the following ways:

  • By the user

  • By the system administrator

    A system administrator can use transaction SM05 to end an HTTP security session (and all application sessions linked to this security session). The Security Audit Log logs this event.

  • By inactivity, that is, no HTTP communication with the system.

    You can set the time period as of which the system assesses a lack of communication as user inactivity in profile parameter http/security_session_timeout.

The following profile parameters are relevant for HTTP security session management.

Profile Parameter

Possible Values

Additional Notes


0: Do not create tickets (SSO Tickets)

1: Create SSO Ticket with certificate

2: Create SSO Ticket without certificate

3: Create assertion tickets only (no logon tickets)

Permits the generation of logon or authentication assertion tickets.


For an issuing system, we recommend the value 3 with security session management. The use of logon tickets with security session management makes it impossible for the automatic logoff from inactivity function to work properly. With this value the system still issues assertion tickets, which are used for system to system communication. If you cannot do without logon tickets, then we recommend that you use the value 2 as tickets without certificates are smaller.

For receiving systems, we recommend that you deactivate ticket generation, that is, value 0.

For more information, see SAP Note 1562004 Information published on SAP site.


0: Logon with tickets is not permissible

1: Logon with tickets is permissible

Defines whether the system accepts logon and assertion tickets.


Default value: 1000

Defines the maximum number of possible entries in the cache for logon tickets.


0: Hold logon tickets in the cache (default value)

1: Do not hold any logon tickets in the cache

Defines whether the system holds logon tickets in the cache


1: Cookie is only sent by the browser during HTTPS connections.

0: Cookie is always sent

Specifies how the system sends the logon ticket cookie and the HTTP session management cookie generated when you log on using HTTP(S) in the browser.


0 = HTTPonly attribute active for all ICF cookies

1 = HTTPonly attribute deactivated for ICF logon cookie

2 = HTTPonly attribute deactivated for cookies except ICF logon cookie

3 = HTTPonly attribute deactivated for all ICF cookies

Sets the attribute HTTPonly for ICF cookies


Declaring a cookie as HTTPonly increases the security of your system because it eliminates access to this cookie in the Web browser from client-side scripts, applets, plugins, and the like. This can have side effects because some applications use such technologies and also rely on this information. These applications may no longer function correctly because they cannot access this information.


An example of this is an application that uses Java applets to perform a certain function within a Web browser application. When the user accesses the Web browser application, the backend server may authenticate the user and may issue the user a cookie (for example, a logon ticket or a session ID) to use for further authentication. If the HTTPonly attribute is set for this cookie, then neither the applet can access it, nor the cookie is automatically sent back to the server because the applet uses its own communication channel. Therefore the user will either see a logon screen or notice other function defects (for example, a blank screen), even though the user was already authenticated in the Web browser session.


0 = Check is not active

1 = Check is active

Defines whether, for stateful HTTP communication (and therefore the addressing of an existing session), the system checks the logon data again for HTTP requests. The authentication data needs to match the data held in the session.


This parameter is only relevant if Security Session Management is not active.

For more information, see SAP Note 1301591 Information published on SAP site.


Default value: 1800 (30 minutes)

Defines the maximum time period between the receipt of two HTTP requests (with valid security session ID). After this period has expired, all application contexts that are connected with a security session on this application server (if you are using stateful Web applications) are closed (and resources that are connected with these sessions are released; more information: rdisp/plugin_auto_logout). If the security session is no longer actively used on another application server, the security session is also closed. For Web-based applications or services that require authentication, all subsequent HTTP requests lead to an authentication request.


Default value: 2500

With active HTTP security session management, the system stores session contexts in a local server cache to monitor whether the session inactivity timeout is exceeded. You cannot change the cache size at runtime. It is defined by the retention period of the cache entries (that is, the session timeout value) and the expected number of simultaneous users of an application server instance.


Default value: 1800 seconds

0: System does not automatically delete the context

Specifies the maximum period of inactivity for the user context of an external plug-in (such as HTTP), before the system closes it.

You can specify the value with or without a time unit. Specifying a value without a time unit means that the system uses seconds as the unit. However, you can also specify M for minutes or H for hours.


Default value: 60 seconds

Defines the time interval between the periodically-performed checks in the task handler, such as the automatic resetting of trace files, the checking of the context pool for RFC servers or external plug-ins (HTTP, and so on), and the automatic logon for external plug-ins (HTTP, and so on).

You can specify the value with or without a time unit. Specifying a value without a time unit means that the system uses seconds as the unit. However, you can also specify M for minutes or H for hours.


  1. Start HTTP Session Management (transaction SICF_SESSIONS).

    A list of all of the clients that exist in the system appears.

  2. Select the relevant line and choose Activate.

    The Security Audit Log records the activation or deactivation of HTTP Security Session Management.