Show TOC Start of Content Area

Background documentation Session Security Protection  Locate the document in its SAP Library structure

Java EE applications can use system cookies to track user data (such as sessions tracking, logon data, and so on). These cookies contain sensitive information about the user. Therefore, to prevent potential misuse of session information, the cookies should not be exposed to client side scripts. To increase the security protection of system cookies, you can enable the use of the additional system cookie attribute HttpOnly.  

System Cookies

SAPNetWeaver Application Server Java (AS Java) system cookies affected by this configuration include:

      Cookies for tracking Web browser sessions, such as JSESSIONID (in accordance with the Java Servlet 2.5 specification)

      Cookies named saplb_ <string>, with string representing a logon group for load balancing.

More information: AS Java Cookies.

When you enable the use of the HttpOnly attribute for these system cookies, some Web browsers (valid only for Internet Explorer version 6.0 SP1) return empty responses to JavaScript requests for access to the system cookies.

Caution

This feature currently has effect only for Web browsers Internet Explorer version 6.0 SP1 and later. For more information about the HttpOnly feature in Internet Explorer 6.0 SP1, see the relevant documents available at msdn.microsoft.com. For information about support of this feature in other Web browsers, consult the documentation provided by your Web browser provider.

You use the HTTP service property SystemCookiesDataProtection to enable the use of the HttpOnly attribute for system cookies, by configuring the property value to true.

Recommendation                                                                                      

For backward compatibility, by default the HttpOnly attribute is not enabled for use in system cookies. We recommend that you manually enable it after verifying that your applications do not rely on reading system cookies on the client side.

Logon Tickets

Logon tickets are cookies that are used for user authentication and Single Sign-On on the AS Java. To set this attribute for logon tickets, set the user management engine (UME) property ume.logon.httponlycookie to the value TRUE.

More information: Editing UME Properties.

Security Related Property for HTTP Sessions

There is a property of the Web Container service, which controls security related aspects of HTTP sessions:

Property

Description

SessionIdRegenerationEnabled

Specifies whether the session regeneration is enabled. When this property is set to true, the Web Container regenerates the security session identifier on every login.

You can configure the properties using SAPNetWeaver Administrator. To do this, locate Web Container under Service tab of Java System Properties.

End of Content Area