Skip to Content
Technical Articles

How to fix Google Chrome SameSite Cookie issue with SAC and HANA XS

In this blogpost I will describe the steps to fix the Chrome SameSite Cookie issue that can occur with SAP Analytics Cloud and HANA Live Connections using the XS Engine on premise.

I am using Google Chrome 84 and the SameSite Cookie change has come into effect, which prevented a number of my dashboards from rendering.

The impact of this is that you maybe your SAC dashboards aren’t loading, perhaps you’re seeing these error messages.

Http Status: 403 Forbidden

Error Protocol (#50) Cannot fetch csrf token from server

 

Chrome Developer Tools has a new “Issues” tab where we can identify these problems.

Figure 1: Chrome Developer Tools, Issues

Samesite cookies have been expertly explained by Dong Pan in detail here.
https://www.sapanalytics.cloud/direct-live-connections-in-sap-analytics-cloud-and-samesite-cookies/

In this blog post I have captured only the steps required for SAC Live Connections to SAP HANA 1.x or 2.x using the XS engine.

1. Create rewrite.txt

This file resides on the HANA filesystem, it should be in somewhere accessible to the HDBADM or equivalent user. Recommended location would be here

/hana/shared/HDB/profile/rewrite.txt

The contents of the file is as follows

SetHeader sap-ua-protocol ""
if %{HEADER:clientprotocol} stricmp http [OR]
if %{HEADER:x-forwarded-proto} stricmp http [OR]
if %{HEADER:forwarded} regimatch proto=http

begin
    SetHeader sap-ua-protocol "http"
end

if %{HEADER:clientprotocol} stricmp https [OR]
if %{HEADER:x-forwarded-proto} stricmp https [OR]
if %{HEADER:forwarded} regimatch proto=https

begin
    SetHeader sap-ua-protocol "https"
end

if %{HEADER:sap-ua-protocol} strcmp "" [AND]
if %{SERVER_PROTOCOL} stricmp https

begin
    SetHeader sap-ua-protocol "https"
end

if %{RESPONSE_HEADER:set-cookie} !strcmp "" [AND]
if %{HEADER:sap-ua-protocol} stricmp https [AND]
if %{HEADER:user-agent} regmatch "^Mozilla" [AND]
if %{HEADER:user-agent} !regmatch "(Chrome|Chromium)/[1-6]?[0-9]\." [AND]
if %{HEADER:user-agent} !regmatch "(UCBrowser)/([0-9]|10|11|12)\." [AND]
if %{HEADER:user-agent} !regmatch "\(iP.+; CPU .*OS 12_.*\) AppleWebKit\/" [AND]
if %{HEADER:user-agent} !regmatch "\(Macintosh;.*Mac OS X 10_14.*(Version\/.* Safari.*|AppleWebKit\/[0-9\.]+.*\(KHTML, like Gecko\))$"

begin
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*)" "$1$2; SameSite=None; Secure"
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *SameSite=[a-zA-Z]+.*); SameSite=None; Secure" $1$2
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *Secure.*); Secure" $1$2
end

 

2. Webdispatcher.ini Parameter

Using HANA Studio, connect to the SYSTEMDB

Navigate to the Configuration -> WebDispatcher -> Profile

Figure%20x%3A%20Webdispatcher.ini

Figure 2: HANA Studio, Add Parameter

Add a new System Parameter

Figure%20x%3A%20Add

Figure 3: Assign Values to System

Change the FILE path as appropriate, to match your rewrite.txt. In my case the HANA SID is HDB.

## Key
icm/HTTP/mod_0

## Value
PREFIX=/, FILE=/hana/shared/<SID>/profile/rewrite.txt

Figure%20x%3A%20Add%20System%20Parameter

Figure 4: Add icm/HTTP/mod_0 key

 

3. Restart webdispatcher Service

For this setting to become active we need to restart the Webdispatcher.
This can be easily done by killing the service. It will then restart automatically

Figure%20x%3A%20Kill%20webdispatcher

Figure 5: Kill the webdispatcher service

Logout and login to your live HANA based SAC story or Analytical Application. All should now be working again 🙂

If not check the

  • Chrome Developer Tools Console for errors and or issues.
  • Cookies – check to see if any are being blocked
5 Comments
You must be Logged on to comment or reply to a post.
  • If you don’t have HANA Studio, you can just execute the following SQL statement (on the SYSTEMDB if you’re on a multitenant system):

    ALTER SYSTEM ALTER CONFIGURATION ('webdispatcher.ini','system') 
    SET ('profile','icm/HTTP/mod_0') = 'PREFIX=/, FILE=/hana/shared/<SID>/profile/rewrite.txt' 
    WITH RECONFIGURE;

    My <SID> was HXE since I’m using HANA Express.

    Then you can stop/start the HANA system as follows:

    1. /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function Stop
    2. Wait for everything to have Stopped.  (See status with /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function GetProcessList)
    3. /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function Start

    For me the <instance-number> is 90 since I’m using HANA Express.

    Also make sure that rewrite.txt was not written with sudo, or webdispatcher will not be able to read it.  If webdispatcher fails to restart, check its trace files (which is located for HANA Express at /usr/sap/HXE/HDB90/hxehost/trace).

  • Hi,

    We were able to fix fix the Chrome SameSite Cookie issue in normal mode by following this blog, but not in Incognito mode, likely because in Incognito Chrome blocks third party cookies by default. Is there a way out for Incognito mode please?

    Regards,
    Pushpak

    • Hi Pushpak,

      When switching to incognito mode you can specify whether to block third-party cookies or not.

      By default, with Chrome 83+ this is now on, if you turn that off then you should be able to connect as before.

      /
      • Hi Ian,

         

        Thanks for your prompt response, your above blog is very helpful.

         

        Indeed, turning off will allow the form to get submit in Incognito, but change will be on client side. So this means every user should be doing this when they are receiving a email campaign from SAP Marketing which is undesirable. So we want to do it from server side /web dispatcher level (similar to what you've described) so that it is applicable for all users.

         

        Regards,
        Pushpak

        • Hi Pushpak,

          I'm not aware that is possible, as it the enhanced browser security that is rejecting this cookie.

          This post from Darryl Griffiths really highlights the details of the issue.

          https://www.it-implementor.co.uk/2020/08/cookies-sap-analytics-cloud-and-cors-in-netweaver.html