on 12-05-2019 1:20 PM
Hello everyone, We want to serve our company portal (EP 7.50) over an internet. So we did vulnerability test for portal. In report there is a risk about mysapsso2 cookie that contains userid. And the solution is very simple; we set ume.logon.security.enforce_secure_cookie = true. After that we can't connect our backend ECC system with webgui. Because userid is not passing through to ECC with cookie and SSO is not working for webgui. How can I fix this? If I change "ume.logon.security.enforce_secure_cookie = false" everything is fine.
Hi Mehdi,
Please pay attention to following Note from SAP Note 2068872 - HttpOnly and Secure cookie attributes
Note: Keep in mind that when a server sets a cookie with the Secure attribute, once it is received by the browser, the browser will only send the cookie with requests that use https and not with unencrypted http requests. Therefore activating the Secure attribute for a cookie as outlined below may break currently working scenarios where https is not used and the cookie is used for session tracking or authentication. After activating the Secure attribute the scenario should be tested using https for all requests.
As per above note, please check whether your backend ECC system has https configured.
Best Regards,
Kashyap Shah
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
72 | |
8 | |
8 | |
6 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.