1898697 - httponly and secure flag options for BI Launchpad cookies

SAP Knowledge Base Article - Public

1898697 - httponly and secure flag options for BI Launchpad cookies

Symptom

When viewing an HTTP response from the /BOE application, it is observed that the cookie is not secured (secure flag is missing):

example:

Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly;

vs.

Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly; Secure

 

Environment

  • SAP BI 4.0
  • Tomcat 7

Reproducing the Issue

  1. Download and run Fiddler on the client browser
  2. Login to BI Launchpad
  3. Find /logon.faces call and examine the Set-cookie:

Cause

This is by-design behavior.

The secure flag is controlled by the application server's configuration.

Resolution

Definitions

  • HttpOnly: If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side script.  The session and SSO cookies in Tomcat 7 are being sent with HttpOnly flag by default, to instruct browsers to prevent access to those cookies from JavaScript. This is considered more secure, but it will prevent JavaScripts from accessing the value of the cookie.

  • Secure: The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.

Solution:

To set the secure flag on cookies: configure, enable and use HTTPS on Tomcat.

The session cookie will be set secure if session initiating request is itself secure (ie. https).

See Also

Keywords

JSESSIONID, cookie, secured, usehttponly, security, session, , KBA , BI-BIP-DEP , SBOP Web Application Deployment, Wdeploy , Problem

Product

Crystal Reports 2008 V1