cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to restrict the Request and Response process in that cookies should be Secure way SAP Portal 7.0 ?

vdurgarao09
Contributor

on ‎06-05-2014 7:48 AM

0 Kudos

Dear Experts,


Please any one can help me i am getting one security issue.Some third party tools using and hacking the Request and Response of the Server.That time there taking one successfully Request (GET http://1.1 302 found)   and Response (http://1.1 200 ok).In this request based on again there giving some invalidate credential in that time server giving request replacing for success fully Request that time there login in to portal successfully(Bypassing).In this Request level only getting the information for URL and set-cookies only.Here any process is there to restrict the set cookies.like JSESSIONMARKID and JSESSIONID SAP_LB.


We are using 7.0 Version and SP 12. Please share you are solutions because of this is very high problem here.



Thanks for Advance


Thanks and regrades,

Durga Rao. 

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎06-05-2014 6:02 PM
0 Kudos

I don't really understand the question, maybe the HttpOnly attribute is what you are looking for. You are running an old version of the portal, consider upgrading to at least 7.3 for better cookie and session security. You should know that in order to prevent man in the middle types of attack, further steps are necessary (like switching to HTTPS).

Show replies
Show replies
vdurgarao09
Contributor
‎06-06-2014 5:32 AM
0 Kudos

Dear Samuli,

Thanks for the Replay,

We are using HTTPS and SSL confined but man in the middle types of attack is happening here there using one tool based one there taking the Request and Response.The below given cookie are available in that request.

According to this , set-cookie: JSESSIONMARKID , JSESSIONID and MYSAPSSO2 values are user login time it will change every time  are not.

After  capturing above response HTTP/1.1 302 etc , when user gives valid credentials and logs in ,

and now ill give wrong password and wrong user id and on click of log on button, i can intercept the request and response coming from the server and when i replace this valid response stil i am able to loggin in to the portal , which should not happen as JESSIONMARKID is changed , server should not allow , but it is loggin in.Standard Login page also allowing to login in this case.

My server version is EP 7.0 SP 12.

Please suggest a solution so that if we restric the hacker at this stage , no matter he can never hijack the sesiona and login  with invalid username and  password.

Thanks for Advance


Thanks and regrades,

Durga Rao.

Ask a Question