When viewing an HTTP response from the /BOE application, it is observed that the cookie is not secured (secure flag is missing):
Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly;
Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly; Secure
- SAP BI 4.x (4.1, 4.2)
- Tomcat 7, 8, 8.5 (All PAM supported Tomcat servers)
Reproducing the Issue
- Download and run Fiddler on the client browser
- Login to BI Launchpad
- Find /logon.faces call and examine the Set-cookie:
This is by-design behavior.
The secure flag is controlled by the application server's configuration.
- Secure: The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.
- Both httponly and secure flags can be enabled through the Java Application Server configuration. Refer to this tomcat example.
- To set the secure flag on cookies: configure, enable and use HTTPS on Tomcat.
- Then the session cookie will be set secure if session initiating request is itself secure (ie. https).
- Enabling httponly cookies will limit the functionality of areas like java scripts and java applets which are used in some of the viewers (eg: Webi Java Viewer).
- As such some of these viewers cannot support httponly cookies until they are completely moved to the html5 interface. This issue has been analyzed in past by SAP BI Platform security team and there is no way around it but to use SSL.
- The workaround is to enable SSL so the information in cookies is also encrypted.
- How to SSL Secure Tomcat: SAP KBA 1648573
JSESSIONID, cookie, secured, usehttponly, security, session, , KBA , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , Problem