cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP Vulnerabilities

former_member275479
Participant

on ‎08-18-2020 10:36 PM

0 Kudos

Hi,

How to apply "secure" attribute to session cookies to ensure that they are sent vis HTTPS only in ABAP system?

Based on my research, i think login/ticket_only_by_https should be set to 1.

Please confirm and correct me if i am wrong. thanks


Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member275479
Participant
‎08-20-2020 2:05 PM
0 Kudos

Thanks for the prompt response.

I compared the value of login/ticket_only_by_https parameter with another system which doesn't have the vulnerability and the value seems to be the default 0.

I went ahead and compared SAML config and found difference in Authentication response value

(SAML->Trusted providers -> Authentication Requirement--> Authentication response). The system which has Vulnerability is set to default and which doesn't is set to "ACS - application URL and binding- HTTP POST"

before making the parameter value, i wanted to ask if Authentication response is causing the issue?

Thanks.

Show replies
Show replies
cris_hansen
Advisor
Advisor
‎08-19-2020 12:01 AM
0 Kudos

Hello,

Yes, you are correct.

You can use RZ11 and read the information about the parameter for information.

Warren also provided you with a KBA and a SAP Help page for additional documentation.

An extra documentation is available here.

Regards,

Cris

Show replies
Show replies
warren_angerstein3
Active Participant
‎08-18-2020 10:55 PM
0 Kudos

Please take a look at OSS Note 1531399 and the following URL

Show replies
Show replies
Ask a Question