Skip to Content
Technical Articles
Author's profile photo Ian Henry

How to fix Google Chrome SameSite Cookie issue with SAC and HANA XS

In this blogpost I will describe the steps to fix the Chrome SameSite Cookie issue that can occur with SAP Analytics Cloud and HANA Live Connections using the XS Engine on premise.

I am using Google Chrome 84 and the SameSite Cookie change has come into effect, which prevented a number of my dashboards from rendering.

The impact of this is that you maybe your SAC dashboards aren’t loading, perhaps you’re seeing these error messages.

Http Status: 403 Forbidden

Error Protocol (#50) Cannot fetch csrf token from server


Chrome Developer Tools has a new “Issues” tab where we can identify these problems.

Figure 1: Chrome Developer Tools, Issues

Samesite cookies have been expertly explained by Dong Pan in detail here.

In this blog post I have captured only the steps required for SAC Live Connections to SAP HANA 1.x or 2.x using the XS engine.

1. Create rewrite.txt

This file resides on the HANA filesystem, it should be in somewhere accessible to the HDBADM or equivalent user. Recommended location would be here


The contents of the file is as follows

SetHeader sap-ua-protocol ""
if %{HEADER:clientprotocol} stricmp http [OR]
if %{HEADER:x-forwarded-proto} stricmp http [OR]
if %{HEADER:forwarded} regimatch proto=http

    SetHeader sap-ua-protocol "http"

if %{HEADER:clientprotocol} stricmp https [OR]
if %{HEADER:x-forwarded-proto} stricmp https [OR]
if %{HEADER:forwarded} regimatch proto=https

    SetHeader sap-ua-protocol "https"

if %{HEADER:sap-ua-protocol} strcmp "" [AND]
if %{SERVER_PROTOCOL} stricmp https

    SetHeader sap-ua-protocol "https"

if %{RESPONSE_HEADER:set-cookie} !strcmp "" [AND]
if %{HEADER:sap-ua-protocol} stricmp https [AND]
if %{HEADER:user-agent} regmatch "^Mozilla" [AND]
if %{HEADER:user-agent} !regmatch "(Chrome|Chromium)/[1-6]?[0-9]\." [AND]
if %{HEADER:user-agent} !regmatch "(UCBrowser)/([0-9]|10|11|12)\." [AND]
if %{HEADER:user-agent} !regmatch "\(iP.+; CPU .*OS 12_.*\) AppleWebKit\/" [AND]
if %{HEADER:user-agent} !regmatch "\(Macintosh;.*Mac OS X 10_14.*(Version\/.* Safari.*|AppleWebKit\/[0-9\.]+.*\(KHTML, like Gecko\))$"

    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*)" "$1$2; SameSite=None; Secure"
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *SameSite=[a-zA-Z]+.*); SameSite=None; Secure" $1$2
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *Secure.*); Secure" $1$2


2. Webdispatcher.ini Parameter

Using HANA Studio, connect to the SYSTEMDB

Navigate to the Configuration -> WebDispatcher -> Profile


Figure 2: HANA Studio, Add Parameter

Add a new System Parameter


Figure 3: Assign Values to System

Change the FILE path as appropriate, to match your rewrite.txt. In my case the HANA SID is HDB.

## Key

## Value
PREFIX=/, FILE=/hana/shared/<SID>/profile/rewrite.txt


Figure 4: Add icm/HTTP/mod_0 key


3. Restart webdispatcher Service

For this setting to become active we need to restart the Webdispatcher.
This can be easily done by killing the service. It will then restart automatically


Figure 5: Kill the webdispatcher service

Logout and login to your live HANA based SAC story or Analytical Application. All should now be working again 🙂

If not check the

  • Chrome Developer Tools Console for errors and or issues.
  • Cookies – check to see if any are being blocked

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Prashant Jayaraman
      Prashant Jayaraman

      If you don’t have HANA Studio, you can just execute the following SQL statement (on the SYSTEMDB if you’re on a multitenant system):

      ALTER SYSTEM ALTER CONFIGURATION ('webdispatcher.ini','system') 
      SET ('profile','icm/HTTP/mod_0') = 'PREFIX=/, FILE=/hana/shared/<SID>/profile/rewrite.txt' 

      My <SID> was HXE since I’m using HANA Express.

      Then you can stop/start the HANA system as follows:

      1. /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function Stop
      2. Wait for everything to have Stopped.  (See status with /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function GetProcessList)
      3. /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function Start

      For me the <instance-number> is 90 since I’m using HANA Express.

      Also make sure that rewrite.txt was not written with sudo, or webdispatcher will not be able to read it.  If webdispatcher fails to restart, check its trace files (which is located for HANA Express at /usr/sap/HXE/HDB90/hxehost/trace).

      Author's profile photo Pushpak Shukla
      Pushpak Shukla


      We were able to fix fix the Chrome SameSite Cookie issue in normal mode by following this blog, but not in Incognito mode, likely because in Incognito Chrome blocks third party cookies by default. Is there a way out for Incognito mode please?


      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Pushpak,

      When switching to incognito mode you can specify whether to block third-party cookies or not.

      By default, with Chrome 83+ this is now on, if you turn that off then you should be able to connect as before.

      Author's profile photo Pushpak Shukla
      Pushpak Shukla

      Hi Ian,


      Thanks for your prompt response, your above blog is very helpful.


      Indeed, turning off will allow the form to get submit in Incognito, but change will be on client side. So this means every user should be doing this when they are receiving a email campaign from SAP Marketing which is undesirable. So we want to do it from server side /web dispatcher level (similar to what you've described) so that it is applicable for all users.



      Author's profile photo Ian Henry
      Ian Henry
      Blog Post Author

      Hi Pushpak,

      I'm not aware that is possible, as it the enhanced browser security that is rejecting this cookie.

      This post from Darryl Griffiths really highlights the details of the issue.

      Author's profile photo Rahul Jain
      Rahul Jain

      Hey @Ian Henry

      I am using SAP B1 Service Layer and stumble upon the same errror, Any solutions for the same ?