Solution : https://service.sap.com/sap/support/notes/1302734 (SAP Service marketplace login required)
Summary :
Browser-based ICF applications (such as Web Dynpro ABAP) are unable to access the HTTP cookie MYSAPSSO2, presenting a security concern. To mitigate this, from SAP NetWeaver versions 7.02 and 7.10 onwards, cookies deemed security-relevant, including MYSAPSSO2 and SAP_SESSIONID_, are set with the "httponly" attribute, blocking JavaScript access from the browser. Applications requiring these cookies must adapt or modify the "icf/set_HTTPonly_flag_on_cookies" profile parameter through transaction RZ11 for testing or by altering the profile file permanently. Various settings control the extent of the HTTPonly attribute’s enforcement on cookies.
Key words :
icf logon cookies 2 = httponly attribute inactive, icf logon cookies 3 = httponly attribute inactive, icf cookies 1 = httponly attribute inactive, sap_sessionid_<sysid>_<client>, 0 = httponly attribute active, relevant netweaver application server, prerequisites icf applications, security-relevant cookies, browser-based applications, web dynpro abap
Related Notes :
1420893 | ITS Up/Down: security session management not working |
1322944 | |
1317545 | Applets/ ActiveX - HttpOnly Attr. for Cookie Sec. Protection |
1301591 | HTTP 400 - Session not found (Stateful HTTP communication) |