There are many types of session-based attacks, such as, impersonation, where a malicious user attempts to access another user's session by posing as that user.
These types of attacks require that, the malicious user obtains a valid session identifier, as this is the minimum amount of information required for identification.
Within a secure session, users can start applications that require a user logon without logging on again. When a security session ends, the system also ends all applications that are linked to this security session.
Also, use Secure Session Management (transaction SICF_SESSIONS) together with other authentication methods you choose to implement in the SAP Gateway host, for example, SAML.
For protection of session cookies, use HTTPS transport.
Cross Site Scripting Protection
SAP Gateway is compliant with RFC 4287 which states the following:
If the value of "type" is "html", the content of atom:content MUST NOT contain child elements and SHOULD be suitable for handling as HTML [HTML]. The HTML markup MUST be escaped; for example, " " as "<br>".
The HTML markup SHOULD be such that it could validly appear directly within an HTML element. Atom Processors that display the content MAY use the markup to aid in displaying it.
For more information, see https://tools.ietf.org/html/rfc4287#section-184.108.40.206
In addition, all modifying requests through SAP Gateway is protected using tokens for Cross-Site Request Forgery (CSRF).