Skip to Content
avatar image
Former Member

How to restrict the Request and Response process in that cookies should be Secure way SAP Portal 7.0 ?

Dear Experts,


Please any one can help me i am getting one security issue.Some third party tools using and hacking the Request and Response of the Server.That time there taking one successfully Request (GET http://1.1 302 found) and Response (http://1.1 200 ok).In this request based on again there giving some invalidate credential in that time server giving request replacing for success fully Request that time there login in to portal successfully(Bypassing).In this Request level only getting the information for URL and set-cookies only.Here any process is there to restrict the set cookies.like JSESSIONMARKID and JSESSIONID SAP_LB.


We are using 7.0 Version and SP 12. Please share you are solutions because of this is very high problem here.



Thanks for Advance


Thanks and regrades,

Durga Rao.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • Jun 05, 2014 at 05:02 PM

    I don't really understand the question, maybe the HttpOnly attribute is what you are looking for. You are running an old version of the portal, consider upgrading to at least 7.3 for better cookie and session security. You should know that in order to prevent man in the middle types of attack, further steps are necessary (like switching to HTTPS).

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Dear Samuli,

      Thanks for the Replay,

      We are using HTTPS and SSL confined but man in the middle types of attack is happening here there using one tool based one there taking the Request and Response.The below given cookie are available in that request.

      According to this , set-cookie: JSESSIONMARKID , JSESSIONID and MYSAPSSO2 values are user login time it will change every time are not.

      After capturing above response HTTP/1.1 302 etc , when user gives valid credentials and logs in ,

      and now ill give wrong password and wrong user id and on click of log on button, i can intercept the request and response coming from the server and when i replace this valid response stil i am able to loggin in to the portal , which should not happen as JESSIONMARKID is changed , server should not allow , but it is loggin in.Standard Login page also allowing to login in this case.

      My server version is EP 7.0 SP 12.

      Please suggest a solution so that if we restric the hacker at this stage , no matter he can never hijack the sesiona and login with invalid username and password.

      Thanks for Advance


      Thanks and regrades,

      Durga Rao.