Show TOC

 Session Security ProtectionLocate this document in the navigation structure

Java EE applications can use system cookies to track user data (such as sessions tracking, logon data, and so on). These cookies contain sensitive information about the user. Therefore, to prevent potential misuse of session information, cookies should not be exposed to client side scripts. To increase the security protection of system cookies, you can enable the use of the additional system cookie attribute HttpOnly

Caution

Declaring a cookie as HttpOnly increases the security of your system because it eliminates access to this cookie in the Web browser from client-side scripts, applets, plugins, and so on. This can have side effects because some applications use such technologies and also rely on this information. These applications may no longer function correctly because they cannot access this information.

 

An example of this is an application that uses Java applets to perform a certain function within a Web browser application. When the user accesses the Web browser application, the backend server may authenticate the user and may issue the user a cookie (for example, a logon ticket or a session ID) to use for further authentication. If the HttpOnly attribute is set for this cookie, then neither the applet can access it, nor the cookie is automatically sent back to the server because the applet uses its own communication channel. Therefore, the user will either see a logon screen or notice other function defects (for example, a blank screen), even though the user was already authenticated in the Web browser session.

 

System Cookies

SAP NetWeaver Application Server for Java (AS Java) system cookies affected by this configuration include:

  • Cookies for tracking Web browser sessions, such as JSESSIONID (in accordance with the Java Servlet 2.5 specification).
  • Cookies named saplb_ < string >, with string representing a logon group for load balancing.

More information: AS Java Cookies .

When you enable the use of the HttpOnly attribute for these system cookies, some Web browsers (valid only for Internet Explorer version 6.0 SP1) return empty responses to JavaScript requests for access to the system cookies.

Caution

This feature currently has effect only for Web browsers Internet Explorer version 6.0 SP1 and later. For more information about the HttpOnly feature in Internet Explorer 6.0 SP1, see the relevant documents available at msdn.microsoft.com . For information about support of this feature in other Web browsers, consult the documentation provided by your Web browser provider.

You use the HTTP service property SystemCookiesDataProtection to enable the use of the HttpOnly attribute for system cookies by configuring the property value to true .

Note  

For backward compatibility, by default the HttpOnly attribute is not enabled for use in system cookies. We recommend that you manually enable it after verifying that your applications do not rely on reading system cookies on the client side.

Caution

Do not set the SystemCookiesDataProtection property to true if the ICMproperty disable_url_session_tracking is also set to true . If both properties are set to true , AS Java cannot handle HTTP sessions correctly.

For more information about the disable_url_session_tracking property, see icm/HTTP/ASJava/disable_url_session_tracking .

You use the HTTP service property SystemCookiesHTTPSProtection to set the Secure attribute to the Web session tracking and the load balancing (sapdb_) cookies it is related to. If the property is set to true, the Secure attribute is set to the system cookie and cookies marked as secure are only transmitted in case the communication channel is a secure one. In this case, it is obligatory that you use SSL since these cookies are not transferred via plain HTTP and session tracking on HTTP will not work.

You use the SecuritySessionIDHTTPSProtection property of the HTTP Service to protect the security session identifier cookie from being sent over unsecured  HTTP connection. When the property is set to true, the Secure attribute for the cookie is set and the browser will send it only over HTTPS..

Note

If SystemCookiesHTTPSProtection is set to true, all the Web session tracking and saplb cookies will be secure regardless of the value of SecuritySessionIDHTTPSProtection. Web session tracking will be possible only when using HTTPS, which means that the application will not function properly over HTTP.

You can configure the properties using SAP NetWeaver Administrator. To do this, locate the HTTP Provider Service under Service tab of the Java System Properties .

Logon Tickets

Logon tickets are cookies that are used for user authentication and Single Sign-On on AS Java. To set this attribute for logon tickets, set the user management engine (UME) property ume.logon.httponlycookie to the value TRUE.

More information: Editing UME Properties .

Security Related Properties for HTTP Sessions

There are several properties of the Web Container service, which control security related aspects of HTTP sessions:

Property Description

SessionIPProtectionEnabled

Specifies whether the session IP protection is enabled. When this property is set to true, the HTTP session cannot be accessed from different IPs. Only requests from the IP that started the session are processed.

SessionIdRegenerationEnabled

Specifies whether the session regeneration is enabled. When this property is set to true, the Web Container regenerates the session ID on every login.

UseSecuritySessionIdUniqueName

Creates a unique name of security session identifier cookie per system. When this property is set to true, the system generates a specific security session identifier cookie name. This property can be used only if SessionIdRegenerationEnabled is enabled.

SecuritySessionIdGracePeriod

Specifies the time period in which AS Java may accept HTTP requests that require authentication and are sent in parallel by a client (in ms). The property default value is 2000 ms.

We do not recommend to increase the default value unless the parallel HTTP requests from one client cannot be processed in less than 2 seconds, for example, in cases with heavily loaded AS Java systems. 

For more information: Parallel HTTP Requests and Session Fixation Protection

You can configure the properties using SAP NetWeaver Administrator. To do this, locate Web Container under Service tab of Java System Properties .

More information: Java System Properties