For NetWeaver version 7.0 and higher, it is recommended to activate HTTP security session management using transaction SICF_SESSIONS. In particular it is recommended to activate extra protection of security-related cookies.?The HttpOnly flag instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.?The Secure flag tells the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.These additional flags are configured through the following profile parameters:Profile ParameterRecommended ValueDescriptionCommenticf/set_HTTPonly_flag_on_cookies0Add HttpOnly flagClient-dependentlogin/ticket_only_by_https1Add Secure flagNot client-dependentNoteLogout is not available to users on NetWeaver versions below 7.02. Upgrading to NetWeaver 7.02 or higher is recommended.Related LinksActivating HTTP Security Session Management on AS ABAPSAP Fiori SecurityCommunication © 2013 SAP AG or an SAP affiliate company. All rights reserved. 74 Users4.1 User Administration and AuthenticationSAP Fiori applications adopt the user management and authentication mechanisms provided by the SAP NetWeaver platform, specifically SAP NetWeaver Application Server ABAP.Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the applications except in certain aspects such as authentication. The SAP NetWeaver Application Server ABAP Security Guide contains the following information:?User management?The user management concept, the tools used for user management, and the types of users required?User Authentication and Single Sign-On?The authentication options supported and how they are integrated with SAP Single Sign-On mechanisms?Authorization and roles?An overview of the authorization concept for mobile applications, authorization settings, network and communication security, and standard authorization roles?Standard Authorization Objects?A summary of password-related security issuesThe SAP NetWeaver Application Server ABAP Security Guide is available on the SAP Help Portal, or via the link in Related Links.The applications use the following user management concepts:Users in the Backend System (SU01, PFCG) Existing users are relevant for the backend system. The authorizations required for a particular application are provided using a PFCG role delivered for each application. For more information, see Authorizations and Roles in this guide.NoteIf you enable users who never directly access the backend system, you should create these users in the backend system without a password. This protects them against attacks that exploit incorrect or insecure password handling (these users are unlikely to change the initial password if they do not actually need to).Users in SAP NetWeaver Gateway (SU01, PFCG)Users also require a user ID for the SAP NetWeaver Gateway layer. They must have the same username as the users in the backend system. The user requires certain

authorizations that allow the services of the application to be triggered in the backend. If you copy the users from the backend users, note the following recommendations:8 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Fiori SecurityUsers?If you use SSO2 logon tickets to authenticate the requests from the mobile device on SAP NetWeaver Gateway, you should copy the user without any password. This protects against attacks based on incorrect or insecure password handling.?The same recommendations apply if you prefer to create users from scratch. If users already exist in SAP NetWeaver Gateway, these steps are not relevant. Authentication can be carried out with the same credentials as for the existing application.To authenticate users, you can set up integration with your existing SSO solution based on SAP Logon Tickets or SAML. The user name in the system that issues the logon tickets has to be the same as the user name for the Gateway system and backend system.Related LinksSAP NetWeaver Application Server ABAP Security GuideUser Authentication and Single Sign-On [page 10]SAP Fiori applications support the following authentication and single sign-on mechanisms.4.1.1 User Creation and Authorization AssignmentFollow this procedure to create users and assign authorizations to them:1.Create users on the SAP NetWeaver Gateway system and on the application backend system.2.Decide on your preferred mechanism for user authentication and SSO.3.Create dedicated authorizations for application users in the Gateway system.4.1.2 User Management ToolsFor information about the tools used for user management and user administration with these applications, refer to the documentation, User and Role Administration of AS ABAP.NoteFor user notification about initial logon and activation, a user management tool is often used to send out an e-mail containing the necessary logon information.Related LinksUser and Role Administration of AS ABAP4.1.3 User TypesYou may have to employ different security policies for different types of users.For SAP Fiori, the following minimum user types are required:?Individual userIndividual users provide access to an application and to administrative tasks.SAP Fiori SecurityUsers © 2013 SAP AG or an SAP affiliate company. All rights reserved. 9?Technical userTechnical users enable data communication between systems.Related LinksUser Types4.1.4 User Data SynchronizationUsers must have the same user name in SAP NetWeaver Gateway as they do in the backend system. You can use the Central User Administration