Activating HTTP Security Session Management on AS ABAP 
You can use optional HTTP security sessions and activate or deactivate these for each client of AS ABAP. With an existing security session, users can then start applications that require a user logon without logging on again. When a security session is ended, the system also ends all applications that are linked to this security session.
A security session starts with the logon to the system and ends with the logoff from the system. Logoff can be triggered in the following ways:
By the user
By the system administrator
A system administrator can use transaction SM05 to end an HTTP security session (and all application sessions linked to this security session). The Security Audit Log logs this event.
By inactivity, that is, no HTTP communication with the system.
You can set the time period as of which the system assesses a lack of communication as user inactivity in profile parameter http/security_session_timeout.
The following profile parameters are relevant for HTTP security session management.
Profile Parameter | Possible Values | Comment |
|---|---|---|
login/create_sso2_ticket | 0: Do not create Single Sign-On Tickets (SSO Tickets) 1: Create SSO Ticket with certificate 2: Create SSO Ticket without certificate | Permits the generation of Single Sign-On Tickets (logon or authentication assertion tickets).
For an issuing system, we recommend the value 2, since SSO Tickets without certificates are significantly smaller. For receiving systems, we recommend that you deactivate ticket generation, that is, value 0. End of the recommendation. |
login/accept_sso2_ticket | 0: Logon with SSO Ticket is not permissible 1: Logon with SSO Ticket is permissible | Defines whether users can log on with an SSO Ticket |
login/ticketcache_entries_max | Default value: 1000 bytes | Defines the maximum number of possible entries in the cache for logon tickets. |
login/ticketcache_off | 0: Hold logon tickets in the cache (default value) 1: Do not hold any logon tickets in the cache | Defines whether the system holds logon tickets in the cache |
login/ticket_only_by_https | 1: Ticket is only sent by the browser during HTTPS connections. 0: Ticket is always sent | Specifies how the system sets the logon ticket generated when you log on using HTTP(S) in the browser. |
icf/set_HTTPonly_flag_on_cookies | 0 = HTTPonly attribute active for all ICF cookies 1 = HTTPonly attribute deactivated for ICF logon cookie 2 = HTTPonly attribute deactivated for cookies except ICF logon cookie 3 = HTTPonly attribute deactivated for all ICF cookies | Sets the attribute HTTPonly for ICF cookies
Declaring a cookie as HTTPonly increases the security of your system because it eliminates access to this cookie in the Web browser from client-side scripts, applets, plugins, and the like. This can have side effects because some applications use such technologies and also rely on this information. These applications may no longer function correctly because they cannot access this information. End of the caution.
An example of this is an application that uses Java applets to perform a certain function within a Web browser application. When the user accesses the Web browser application, the backend server may authenticate the user and may issue the user a cookie (for example, a logon ticket or a session ID) to use for further authentication. If the HTTPonly attribute is set for this cookie, then neither the applet can access it, nor the cookie is automatically sent back to the server because the applet uses its own communication channel. Therefore the user will either see a logon screen or notice other function defects (for example, a blank screen), even though the user was already authenticated in the Web browser session. End of the example. |
icf/user_recheck | 0 = Check is not active 1 = Check is active | Defines whether, for stateful HTTP communication (and therefore the addressing of an existing session), the system checks the logon data again for HTTP requests. The authentication data needs to match the data held in the session.
This parameter is only relevant if Security Session Management is not active (more information: SAP Note 1301591). End of the note. |
http/security_session_timeout | Default value: 1800 (30 minutes) | Defines the maximum time period between the receipt of two HTTP requests (with valid security session ID). After this period has expired, all application contexts that are connected with a security session on this application server (if you are using stateful Web applications) are closed (and resources that are connected with these sessions are released; more information: rdisp/plugin_auto_logout). If the security session is no longer actively used on another application server, the security session is also closed. For Web-based applications or services that require authentication, all subsequent HTTP requests lead to an authentication request. |
http/security_context_cache_size | Default value: 2500 | With active HTTP security session management, the system stores session contexts in a local server cache to monitor whether the session inactivity timeout is exceeded. You cannot change the cache size at runtime. It is defined by the retention period of the cache entries (that is, the session timeout value) and the expected number of simultaneous users of an application server instance. |
rdisp/plugin_auto_logout | Default value: 1800 seconds 0: System does not automatically delete the context | Specifies the maximum period of inactivity for the user context of an external plug-in (such as HTTP), before the system closes it. You can specify the value with or without a time unit. Specifying a value without a time unit means that the system uses seconds as the unit. However, you can also specify M for minutes or H for hours. |
rdisp/autothtime | Default value: 60 seconds | Defines the time interval between the periodically-performed checks in the task handler, such as the automatic resetting of trace files, the checking of the context pool for RFC servers or external plug-ins (HTTP, and so on), and the automatic logon for external plug-ins (HTTP, and so on). You can specify the value with or without a time unit. Specifying a value without a time unit means that the system uses seconds as the unit. However, you can also specify M for minutes or H for hours. |
Recommendation
Caution
Example
NoteProcedure
Start HTTP Session Management (transaction SICF_SESSIONS).
A list of all of the clients that exist in the system appears.
Select the relevant line and choose Activate.
The Security Audit Log records this activation or deactivation of HTTP Security Session Management.