cancel
Showing results for 
Search instead for 
Did you mean: 

Session-ID Length

benutzername1
Discoverer
0 Kudos
585

Hello,
How is session-identifier length it in ABAP and JAVA?

It should be at least 128 bit long.

https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length

Regards,

Ronny

Accepted Solutions (0)

Answers (2)

Answers (2)

marco_hammel2
Participant

Hi Ronny,

In reference to OWAP, I consider you're looking for information about web session IDs.

The short answer is: it depends.

The long answer is, depending on what kind of web framework is used for a certain application and what authentication method is enabled, there can be multiple session ids around. When it comes to the actual user session, asides of LB session ids and similar you typically find a cookie SAP_SESSIONID_<SID>_<Client> in your browser after authentication. Other cookies such as:

sap-appcontext, sap-contexid, sap-usercontext and iwc-session-instance are for LB and dispatching management.

In a Java (but can be in ABAP too) system the relevant session id is typically in the MYSAPSSO2 cookie.

For currently supported releases, and with default settings, I can confirm, that the user session ids described here are longer then 128 bit. Please bare in mind, that some 3rd party add-on, or custom implemented framework can use a custom authentication and session management implementation not related to the SAP standard. As well, I know that session identifiers and their length where different prior to release 7.0. But these systems are already out of regular maintenance.

I hope this helps.

BR

Marco

benutzername1
Discoverer
0 Kudos

Hello Marco,

thank you for the detailed answer. This helps.


Regards.

Ronny