Solved: MYSAPSSO2 and enforce secure cookie

former_member248514 · ‎12-05-2019

Hello everyone, We want to serve our company portal (EP 7.50) over an internet. So we did vulnerability test for portal. In report there is a risk about mysapsso2 cookie that contains userid. And the solution is very simple; we set ume.logon.security.enforce_secure_cookie = true. After that we can't connect our backend ECC system with webgui. Because userid is not passing through to ECC with cookie and SSO is not working for webgui. How can I fix this? If I change "ume.logon.security.enforce_secure_cookie = false" everything is fine.

kashyap_shah3 · ‎12-05-2019

Hi Mehdi,

Please pay attention to following Note from SAP Note 2068872 - HttpOnly and Secure cookie attributes

Note: Keep in mind that when a server sets a cookie with the Secure attribute, once it is received by the browser, the browser will only send the cookie with requests that use https and not with unencrypted http requests. Therefore activating the Secure attribute for a cookie as outlined below may break currently working scenarios where https is not used and the cookie is used for session tracking or authentication. After activating the Secure attribute the scenario should be tested using https for all requests.

As per above note, please check whether your backend ECC system has https configured.

Best Regards,
Kashyap Shah

MYSAPSSO2 and enforce secure cookie

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)

Re: OData services stopped working after deploymen...

Re: OData services stopped working after deploymen...

Supplier Invoice Line Copy

Re: OData services stopped working after deploymen...

Re: WSAECONNRESET: Connection reset by peer. Multi...