When viewing an HTTP response from the /BOE application, it is observed that the cookie is not secured (secure flag is missing):
Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly;
Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly; Secure
- SAP BI 4.0
- Tomcat 7
Reproducing the Issue
- Download and run Fiddler on the client browser
- Login to BI Launchpad
- Find /logon.faces call and examine the Set-cookie:
This is by-design behavior.
The secure flag is controlled by the application server's configuration.
- Secure: The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.
To set the secure flag on cookies: configure, enable and use HTTPS on Tomcat.
The session cookie will be set secure if session initiating request is itself secure (ie. https).
- How to SSL Secure Tomcat: http://service.sap.com/sap/support/notes/1648573
JSESSIONID, cookie, secured, usehttponly, security, session, , KBA , BI-BIP-DEP , SBOP Web Application Deployment, Wdeploy , Problem