SAP Note 1302734 - Accessing the HTTP cookie "MYSAPSSO2" fails

Component : Internet Communication Framework - Authentication and SSO

Solution : https://service.sap.com/sap/support/notes/1302734 (SAP Service marketplace login required)

Summary :
Browser-based ICF applications (such as Web Dynpro ABAP) are unable to access the HTTP cookie MYSAPSSO2, presenting a security concern. To mitigate this, from SAP NetWeaver versions 7.02 and 7.10 onwards, cookies deemed security-relevant, including MYSAPSSO2 and SAP_SESSIONID_, are set with the "httponly" attribute, blocking JavaScript access from the browser. Applications requiring these cookies must adapt or modify the "icf/set_HTTPonly_flag_on_cookies" profile parameter through transaction RZ11 for testing or by altering the profile file permanently. Various settings control the extent of the HTTPonly attribute’s enforcement on cookies.

Key words :
icf logon cookies 2 = httponly attribute inactive, icf logon cookies 3 = httponly attribute inactive, icf cookies 1 = httponly attribute inactive, sap_sessionid_<sysid>_<client>, 0 = httponly attribute active, relevant netweaver application server, prerequisites icf applications, security-relevant cookies, browser-based applications, web dynpro abap

Related Notes :

1420893ITS Up/Down: security session management not working
1322944
1317545Applets/ ActiveX - HttpOnly Attr. for Cookie Sec. Protection
1301591HTTP 400 - Session not found (Stateful HTTP communication)