For SAP NetWeaver version 7.0 and higher, we recommend you activate HTTP security session management using transaction SICF_SESSIONS. In particular, it is recommended to activate extra protection of security-related cookies.
The HttpOnly flag instructs the browser to deny access to the cookie through client-side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser does not reveal the cookie to a third party.
The secure flag tells the browser to send the cookie only if the request is being sent over a secure channel, such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.
You configure these additional flags with the following profile parameters:
Profile Parameter |
Recommended Value |
Description |
Comment |
---|---|---|---|
icf/set_HTTPonly_flag_on_cookies |
0 |
Add HttpOnly flag |
Client-dependent |
login/ticket_only_by_https |
1 |
Add Secure flag |
Client-independent |
For more information, please see Activating HTTP Security Session Management on AS ABAP on the SAP Help Portal: SAP NetWeaver 7.0, including Enhancement Package 2.