- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- How to set HTTPOnly attribute on cookies
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to set HTTPOnly attribute on cookies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2016 Jun 10 2:20 PM
- SAP Managed Tags:
- Security
Hi
We know that cookies created by SAP software can have HTTPOnly attribute set using the icf/set_HTTPonly_flag_on_cookies profile parameter.
However, we want to set HTTPOnly flag on the cookies we create in our software, but the SET_COOKIE() method doesn't have any parameters to set HTTPonly attribute. Can anyone suggest the best way to set HTTPOnly attribute on a cookie programatically?
Thanks
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2016 Jun 10 6:08 PM
- SAP Managed Tags:
- Security
Hi,
I haven't tested this but based on this
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/BB/1BCF2122FD4A76948816B1342F20D7/frameset.htm
you should be able to force HTTP only flag on all cookies using icf/set_HTTPonly_flag_on_cookies.
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2016 Jun 12 10:43 AM
- SAP Managed Tags:
- Security
We found that setting icf/set_HTTPonly_flag_on_cookies works for cookies created by SAP NetWeaver ICF code, but if our code is calling set_cookie() to set a cookie, then the HTTPOnly flag is not set.
