For the ABAP front-end server and the ABAP back-end server running Enterprise Search, you must activate HTTP security session management by using the transaction SICF_SESSIONS. When you activate HTTP security session management, we recommend that you activate the following extra protection for security-related cookies:
This attribute instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.
This attribute instructs the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.
A token-based protection against cross-site request forgery (CSRF) is active by default in SAP Gateway and SAP HANA XS SAP Fiori OData services. It protects all modifying requests.
In addition, we recommend configuring HTTP session expiration with a reasonable timeout. To configure this, you use the profile parameter http/security_session_timeout.
Logout from Multiple Systems
SAP Fiori apps only support logout with the ABAP front-end server and a single SAP HANA XS. If additional SAP Gateway systems or SAP HANA XS systems are deployed (for example, to distribute OData services across multiple server farms), the corresponding HTTP sessions are not closed when the user logs out. In this case, it is important to have session expiration configured.
For more information about activating HTTP security session management, see the following documentation:
For SAP NetWeaver 7.31, see SAP Help Portal at http://help.sap.com/nw731.
For SAP NetWeaver 7.40, see SAP Help Portal at http://help.sap.com/nw74.
For more information about session security protection for SAP Gateway, see the following documentation: