1898697 - httponly and secure flag options for BI Launchpad cookies

SAP Knowledge Base Articles - public

1898697 - httponly and secure flag options for BI Launchpad cookies


When viewing an HTTP response from the /BOE application, it is observed that the cookie is not secured (secure flag is missing):


Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly;


Set-Cookie: InfoViewPLATFORMSVC_COOKIE_TOKEN=; Path=/; HttpOnly; Secure



  • SAP BI 4.0
  • Tomcat 7

Reproducing the Issue

  1. Download and run Fiddler on the client browser
  2. Login to BI Launchpad
  3. Find /logon.faces call and examine the Set-cookie:


This is by-design behavior.

The secure flag is controlled by the application server's configuration.



  • HttpOnly: If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through client side script.  The session and SSO cookies in Tomcat 7 are being sent with HttpOnly flag by default, to instruct browsers to prevent access to those cookies from JavaScript. This is considered more secure, but it will prevent JavaScripts from accessing the value of the cookie.

  • Secure: The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.


To set the secure flag on cookies: configure, enable and use HTTPS on Tomcat.

The session cookie will be set secure if session initiating request is itself secure (ie. https).

See Also


JSESSIONID, cookie, secured, usehttponly, security, session, , KBA , BI-BIP-DEP , SBOP Web Application Deployment, Wdeploy , Problem


Crystal Reports 2008 V1