Basis Errors and Solutions

Symptom

An URL, which has been received for example by e-mail, enables a user to connect with the SAP system.
Other terms

Security vulnerability, Session Riding
Reason and Prerequisites

The system is not configured for the HTTP Security Session, see transaction SICF_SESSIONS.
The application, which can be accessed, uses the “stateful-http-communication”. This means the session with the backend is kept open, and is reused at a later point in time. In the given environment the session is still open at the time the user uses the URL and is connected without any additional authentication.
The service is not a service, which is seen as “public” service. A service is seen as “public” whenever
The service is defined in “/sap/public”.Any service maintained with logon data and only the maintained logon data is permitted (”mandatory with logon data”).Solution

For the solution of SAP Web Application Server ABAP 6.40 and SAP NetWeaver Application Server ABAP 7.00 please refer to note 1266780.
For the solution starting with EhP1 for SAP NetWeaver Application Server ABAP 7.00 the vulnerability can be cured by setting the dynamic profile parameters “icf/user_recheck” and “icf/set_HTTPonly_flag_on_cookies”.
The solution spreads over ABAP and kernel. It requires the support packages listed with this note and the following patch levels of the kernel:
Kernel 7.01 Patch-level #44 (or higher)Kernel 7.10 Patch-level #157 (or higher)Kernel 7.11 Patch-level #37 (or higher)Kernel 7.20 from the beginning, serving 7.02 and 7.20.

By transaction RZ11 one may change the default for “icf/user_recheck” from 0 to 1. This change activates the reauthentication for each consecutive request in a stateful http communication. If reauthentication for selective services shall be suppressed, this can be defined in transaction SICF for these services.
By transaction RZ11 one may change the default for “icf/set_HTTPonly_flag_on_cookies” from 3 to 0. This changes results in the HTTPonly attribute being set for cookies and especially the MYSAPSSO2 cookie. If the HTTPonly attribute is supported by the client infrastructure – for example the browser – this prevents from unexpected, programmatic access to the logon data.