Skip to end of metadata
Go to start of metadata

The HttpOnly and Secure attributes of ICF cookies can be controlled with the parameters icf/set_HTTPonly_flag_on_cookies and login/ticket_only_by_https.

See the below KBA for details:

2068872 - HttpOnly and Secure cookie attributes


Note that it does not always make sense to set the HttpOnly and Secure attributes, even if they are highlighted as an issue during a security scan. When the Secure flag is set, the browser will not send the cookie over an unencrypted channel (such as HTTP). This means that it makes no sense to set this flag in a scenario where HTTP (and not HTTPS)  is used. Also, it is not possible, and not necessary to set the Secure flag for the cookies sap-appcontext, sap-usercontext, sap-contextid, sap-theme, sap-language and sap-exiturl. These cookies do not contain security relevant data.


When setting cookies in custom developments, using the method IF_HTTP_ENTITY~SET_COOKIE, the Secure and HTTPOnly attributes can be controlled with the value of the SECURE parameter:
1 = Secure
16 = HTTPOnly
17 = Secure + HTTPOnly

Related SAP Notes/KBAs

SAP KBA 2068872 - HttpOnly and Secure cookie attributes

SAP Note 1334907 - ICF, HTTPONLY flag for ICF cookies