Show TOC Start of Content Area

Background documentation AS Java Cookies  Locate the document in its SAP Library structure

Caution

The session and load balancing cookies described below are used by the AS Java as a means of performing session tracking and load balancing for Web applications, respectively. You should not use the syntax of those cookies explicitly in your application logic. To work properly, your HTTP client must handle all cookies sent by the AS Java according to the HTTP State Management Mechanism (RFC 2109). This documentation provides an overview of the syntax and attributes of the cookies to help you understand how are they used by the AS Java.

Session Cookie

The AS Java uses this type of cookie for session tracking.

The name of the session cookie is JSESSIONID (in accordance with the JavaÔ Servlet 2.5 specification). The value of the JSESSIONID cookie has a specific format that includes information necessary for the process of session tracking. If the cookie sent with the request is not compliant with this format, it is ignored by the Web Container and is therefore not used for session tracking.

From an application developer’s point of view, the generation of the cookie and the details of the format are of no interest. It is all handled by the Web Container. You only need to be aware that a JSESSIONID cookie is set to your HTTP client with the first request to the application and session and has been established.

More information about the session tracking process: Session Tracking with Servlets.

Session Cookie Attributes

The Web Container sets the following attributes when creating a session cookie by default:

      Domain attribute – the value of this attribute must be a fully-qualified host name (FQHN). A fully-qualified host name means either the fully-qualified domain name of a host (that is, a complete domain name ending in a top-level domain such as .com or .org), or the numeric Internet Protocol (IP) address of a host. The AS Java’s Web Container sets a domain attribute using the host name from the client request. If it is an IP address, it sets the IP address for the domain attribute value. If it is a domain name of the type A.B.C, where B and C do not contain dots, it sets a domain attribute value of *.B.C. If the host is not fully-qualified domain name, the domain attribute is not set. The semantics of the value of the domain attribute is to specify a set of hosts to which the cookie must be sent.

      Path attribute – this specifies the subset of URLs, to which this cookie applies. The AS Java’s Web Container sets the path attribute with value ”/” to the session cookie. Thus, the cookie applies to all Web applications on a given host. This value is also necessary to perform Single Sign-On for Web applications.

Note

You may have to adapt the default domain attribute of the JSESSIONID cookie in certain cases when several servers share the same domain. For more information, refer to SAP Note 791765 (that note was created for SAP NetWeaver 2004 but is still applicable to SAP NetWeaver 7.1).

Load Balancing Cookie

This type of cookie is used by SAP Web Dispatcher to perform load balancing of HTTP requests to distributed Web applications. The cookie name is composed of the saplb_ string and a string that represents a logon group. A logon group is defined by a set of Java EE instances with certain application aliases that are active on them. The value contains information about the server process the application runs on, as well as the Web AS Java instance the server resides in.

The load balancing cookie is used by the SAP Web Dispatcher (or a third party load balancing solution) for instance-based load balancing.

Load Balancing Cookie Default Attributes

·        Domain attribute – no domain attribute is set. This means cookie is valid for the current host only.

      Path attribute – the value of this attribute is set to “/”. This means the cookie applies to all Web applications on a given host.

Note

You can configure the attributes that the AS Java sets to the session and load balancing cookies using the <cookie-config> element of the web-j2ee-engine.xml deployment descriptor of your Web applications.

HttpOnly Attribute for Cookie Security Protection

To increase the security protection of system cookies (session and load balancing cookies) and to prevent potential misuse of session information in cookies by client side scripts during server runtime, you can enable the use of the additional system cookie attribute HttpOnly. When the use of the HttpOnly attribute is enabled, Web browsers return empty responses to JavaScript requests for access to the system cookies.

Caution

This feature currently has effect only for Web browsers Internet Explorer version 6.0 SP1 and later. For more information about the HttpOnly feature in Internet Explorer 6.0 SP1, see the relevant documents available at msdn.microsoft.com. For more information about support for this feature by other Web browsers, consult the documentation of your Web browser provider.

You enable the runtime use of the HttpOnly attribute for system cookies by configuring the value of the HTTP service property SystemCookiesDataProtection to true.

Recommendation                                                                                      

For backward compatibility, by default the HttpOnly attribute is not enabled for use in system cookies. We recommend that you manually enable it after verifying that your applications do not rely on reading system cookies on the client side.

 

End of Content Area