Activating HTTP Security Session Management on SAP NetWeaver Application Server for ABAP
You can use optional HTTP security sessions and activate or deactivate these for each client of SAP NetWeaver Application Server for ABAP. With an existing security session, users can then start applications that require a user logon without logging on again. When a security session is ended, the system also ends all applications that are linked to this security session.
Context
A security session starts with the logon to the system and ends with the logoff from the system. Logoff can be triggered in the following ways:
-
By the user
-
By the system administrator
A system administrator can use transaction SM05 to end an HTTP security session (and all application sessions linked to this security session). The security audit log records this event.
-
By inactivity, that is, no HTTP communication with the system.
You can set the time period as of which the system assesses a lack of communication as user inactivity in profile parameter http/security_session_timeout.
The following profile parameters are relevant for HTTP security session management.
|
Profile Parameter |
Possible Values |
Additional Notes |
|---|---|---|
| login/create_sso2_ticket |
0: Do not create tickets (SSO Tickets) 1: Create SSO Ticket with certificate 2: Create SSO Ticket without certificate 3: Create assertion tickets only (no logon tickets) |
Permits the generation of logon or authentication assertion tickets. Recommendation
We recommend the value 3 with security session management. The use of logon tickets with security session management makes it impossible for the automatic logoff from inactivity function to work properly. With this value the system still issues assertion tickets, which are used for system to system communication. If you cannot do without logon tickets, then we recommend that you use the value 2 as tickets without certificates are smaller. For more information, see SAP Note
1562004 |
| login/accept_sso2_ticket |
0: Logon with tickets is not permissible 1: Logon with tickets is permissible |
Defines whether the system accepts logon and assertion tickets. |
| login/ticketcache_entries_max |
Default value: 1000 |
Defines the maximum number of possible entries in the cache for logon tickets. |
| login/ticketcache_off |
0: Hold logon tickets in the cache (default value) 1: Do not hold any logon tickets in the cache |
Defines whether the system holds logon tickets in the cache |
| login/ticket_only_by_https |
1: Cookie is only sent by the browser during HTTPS connections. 0: Cookie is always sent |
Specifies how the system sends the logon ticket cookie and the HTTP session management cookie generated when you log on using HTTP(S) in the browser. |
| icf/set_HTTPonly_flag_on_cookies |
0 = HTTPonly attribute active for all ICF cookies 1 = HTTPonly attribute deactivated for ICF logon cookie 2 = HTTPonly attribute deactivated for cookies except ICF logon cookie 3 = HTTPonly attribute deactivated for all ICF cookies |
Sets the attribute HTTPonly for ICF cookies Caution
Declaring a cookie as HTTPonly increases the security of your system because it eliminates access to this cookie in the Web browser from client-side scripts, applets, plug-ins, and the like. This can have side effects because some applications use such technologies and also rely on this information. These applications may no longer function correctly because they cannot access this information. Example
An example of this is an application that uses Java applets to perform a certain function within a Web browser application. When the user accesses the Web browser application, the back-end server may authenticate the user and may issue the user a cookie (for example, a logon ticket or a session ID) to use for further authentication. If the HTTPonly attribute is set for this cookie, then neither the applet can access it, nor the cookie is automatically sent back to the server because the applet uses its own communication channel. Therefore the user will either see a logon screen or notice other function defects (for example, a blank screen), even though the user was already authenticated in the Web browser session. |
| icf/user_recheck |
0 = Check is not active 1 = Check is active |
Defines whether, for stateful HTTP communication (and therefore the addressing of an existing session), the system checks the logon data again for HTTP requests. The authentication data needs to match the data held in the session. Note
This parameter is only relevant if security session management is not active. For more information, see SAP Note
1301591 |
| http/security_session_timeout |
Default value: 1800 (30 minutes) |
Defines the maximum time period between the receipt of two HTTP requests (with valid security session ID). After this period has expired, all application contexts that are connected with a security session on this application server (if you are using stateful Web applications) are closed (and resources that are connected with these sessions are released; more information: rdisp/plugin_auto_logout). If the security session is no longer actively used on another application server, the security session is also closed. For Web-based applications or services that require authentication, all subsequent HTTP requests lead to an authentication request. |
| http/security_context_cache_size |
Default value: 2500 |
With active HTTP security session management, the system stores session contexts in a local server cache to monitor whether the session inactivity timeout is exceeded. You cannot change the cache size at runtime. It is defined by the retention period of the cache entries (that is, the session timeout value) and the expected number of simultaneous users of an application server instance. |
| rdisp/plugin_auto_logout |
Default value: 1800 seconds 0: System does not automatically delete the context |
Specifies the maximum period of inactivity for the user context of an external plug-in (such as HTTP), before the system closes it. You can specify the value with or without a time unit. Specifying a value without a time unit means that the system uses seconds as the unit. However, you can also specify M for minutes or H for hours. |
| rdisp/autothtime |
Default value: 60 seconds |
Defines the time interval between the checks performed periodically in the task handler, such as the automatic resetting of trace files, the checking of the context pool for RFC servers or external plug-ins (HTTP, and so on), and the automatic logon for external plug-ins (HTTP, and so on). You can specify the value with or without a time unit. Specifying a value without a time unit means that the system uses seconds as the unit. However, you can also specify M for minutes or H for hours. |
