Show TOC

Configuring ABAP Server Session SecurityLocate this document in the navigation structure

Use

For the ABAP front-end server and the ABAP back-end server running Enterprise Search, you must activate HTTP security session management by using the transaction SICF_SESSIONS. When you activate HTTP security session management, we recommend that you activate the following extra protection for security-related cookies:

  • HttpOnly

    This attribute instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.

  • Secure

    This attribute instructs the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.

Note

A token-based protection against cross-site request forgery (CSRF) is active by default in SAP Gateway and SAP HANA XS SAP Fiori OData services. It protects all modifying requests.

In addition, we recommend configuring HTTP session expiration with a reasonable timeout. To configure this, you use the profile parameter http/security_session_timeout.

Logout from Multiple Systems

SAP Fiori apps only support logout with the ABAP front-end server and a single SAP HANA XS. If additional SAP Gateway systems or SAP HANA XS systems are deployed (for example, to distribute OData services across multiple server farms), the corresponding HTTP sessions are not closed when the user logs out. In this case, it is important to have session expiration configured.

More Information

For more information about activating HTTP security session management, see the following documentation:

  • For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nw731Start of the navigation path Application Help Next navigation step Function-Oriented View Next navigation step Security Next navigation step User Authentication and Single Sign-On Next navigation step Authentication Infrastructure Next navigation step AS ABAP Authentication Infrastructure Next navigation step Activating HTTP Security Session Management on AS ABAP End of the navigation path.

  • For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74Start of the navigation path Application Help Next navigation step Function-Oriented View Next navigation step Security Next navigation step User Authentication and Single Sign-On Next navigation step Authentication Infrastructure Next navigation step AS ABAP Authentication Infrastructure Next navigation step Activating HTTP Security Session Management on AS ABAP End of the navigation path.

For more information about session security protection for SAP Gateway, see the following documentation:

  • For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nwgateway20Start of the navigation path Security Information Next navigation step Security Guide Next navigation step SAP Gateway Security Guide  Next navigation step Session Security Protection End of the navigation path.

  • For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74Start of the navigation path Application Help Next navigation step Function-Oriented View Next navigation step SAP Gateway Foundation (SAP_GWFND) Next navigation step SAP Gateway Foundation Security Guide Next navigation step Session Security Protection End of the navigation path.