SAP Knowledge Base Article - Public

1898697 - httponly and secure flag options for BI Launchpad cookies


When viewing an HTTP response from the /BOE application, it is observed that the cookie is not secured (secure flag is missing):


Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly;


Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly; Secure



  • SAP BI 4.x (4.1, 4.2)
  • Tomcat 7, 8, 8.5 (All PAM supported Tomcat servers)

Reproducing the Issue

  1. Download and run Fiddler on the client browser
  2. Login to BI Launchpad
  3. Find /logon.faces call and examine the Set-cookie:


This is by-design behavior.

The secure flag is controlled by the application server's configuration.



  • HttpOnly: If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side script.  The session and SSO cookies in Tomcat 7 are being sent with HttpOnly flag by default, to instruct browsers to prevent access to those cookies from JavaScript. This is considered more secure, but it will prevent JavaScripts from accessing the value of the cookie.

  • Secure: The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.


  • Both httponly and secure flags can be enabled through the Java Application Server configuration. Refer to this tomcat example.
  • To set the secure flag on cookies: configure, enable and use HTTPS on Tomcat.  
  • Then the session cookie will be set secure if session initiating request is itself secure (ie. https).
  • Enabling httponly cookies will limit the functionality of areas like java scripts and java applets which are used in some of the viewers (eg: Webi Java Viewer).
  • As such some of these viewers cannot support httponly cookies until they are completely moved to the html5 interface. This issue has been analyzed in past by SAP BI Platform security team and there is no way around it but to use SSL. 
  • The workaround is to enable SSL so the information in cookies is also encrypted. 

See Also


JSESSIONID, cookie, secured, usehttponly, security, session, , KBA , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , Problem


Crystal Reports 2008 V1