Show TOC

Background documentationConfiguring ABAP Server Session Security

 

For the ABAP front-end server and the ABAP back-end server running Enterprise Search, you must activate HTTP security session management by using the transaction SICF_SESSIONS. When you activate HTTP security session management, we recommend that you activate the following extra protection for security-related cookies:

  • HttpOnly

    This attribute instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.

  • Secure

    This attribute instructs the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.

Note Note

A token-based protection against cross-site request forgery (CSRF) is active by default in SAP Gateway and SAP HANA XS SAP Fiori OData services. It protects all modifying requests.

End of the note.

In addition, we recommend configuring HTTP session expiration with a reasonable timeout. To configure this, you use the profile parameter http/security_session_timeout.

Logout from Multiple Systems

SAP Fiori apps only support logout with the ABAP front-end server and a single SAP HANA XS. If additional SAP Gateway systems or SAP HANA XS systems are deployed (for example, to distribute OData services across multiple server farms), the corresponding HTTP sessions are not closed when the user logs out. In this case, it is important to have session expiration configured.

More Information

For more information about activating HTTP security session management, see the following documentation:

  • For SAP NetWeaver 7.31, see SAP Help Portal at Start of the navigation path http://help.sap.com/nw731Information published on SAP site Next navigation step Application Help Next navigation step Function-Oriented View Next navigation step Security Next navigation step User Authentication and Single Sign-On Next navigation step Authentication Infrastructure Next navigation step AS ABAP Authentication Infrastructure Next navigation step Activating HTTP Security Session Management on AS ABAP End of the navigation path.

  • For SAP NetWeaver 7.40, see SAP Help Portal at Start of the navigation path http://help.sap.com/nw74Information published on SAP site Next navigation step Application Help Next navigation step Function-Oriented View Next navigation step Security Next navigation step User Authentication and Single Sign-On Next navigation step Authentication Infrastructure Next navigation step AS ABAP Authentication Infrastructure Next navigation step Activating HTTP Security Session Management on AS ABAP End of the navigation path.

For more information about session security protection for SAP Gateway, see the following documentation:

  • For SAP NetWeaver 7.31, see SAP Help Portal at Start of the navigation path http://help.sap.com/nwgateway20Information published on SAP site Next navigation step Security Information Next navigation step Security Guide Next navigation step SAP Gateway Security Guide Next navigation step Session Security Protection End of the navigation path.

  • For SAP NetWeaver 7.40, see SAP Help Portal at Start of the navigation path http://help.sap.com/nw74Information published on SAP site Next navigation step Application Help Next navigation step Function-Oriented View Next navigation step SAP Gateway Foundation (SAP_GWFND) Next navigation step SAP Gateway Foundation Security Guide Next navigation step Session Security Protection End of the navigation path.