Technical Articles
How to fix Google Chrome SameSite Cookie issue with SAC and HANA XS
In this blogpost I will describe the steps to fix the Chrome SameSite Cookie issue that can occur with SAP Analytics Cloud and HANA Live Connections using the XS Engine on premise.
I am using Google Chrome 84 and the SameSite Cookie change has come into effect, which prevented a number of my dashboards from rendering.
The impact of this is that you maybe your SAC dashboards aren’t loading, perhaps you’re seeing these error messages.
Http Status: 403 Forbidden Error Protocol (#50) Cannot fetch csrf token from server
Chrome Developer Tools has a new “Issues” tab where we can identify these problems.
Figure 1: Chrome Developer Tools, Issues
Samesite cookies have been expertly explained by Dong Pan in detail here.
https://www.sapanalytics.cloud/direct-live-connections-in-sap-analytics-cloud-and-samesite-cookies/
In this blog post I have captured only the steps required for SAC Live Connections to SAP HANA 1.x or 2.x using the XS engine.
1. Create rewrite.txt
This file resides on the HANA filesystem, it should be in somewhere accessible to the HDBADM or equivalent user. Recommended location would be here
/hana/shared/HDB/profile/rewrite.txtThe contents of the file is as follows
SetHeader sap-ua-protocol ""
if %{HEADER:clientprotocol} stricmp http [OR]
if %{HEADER:x-forwarded-proto} stricmp http [OR]
if %{HEADER:forwarded} regimatch proto=http
begin
SetHeader sap-ua-protocol "http"
end
if %{HEADER:clientprotocol} stricmp https [OR]
if %{HEADER:x-forwarded-proto} stricmp https [OR]
if %{HEADER:forwarded} regimatch proto=https
begin
SetHeader sap-ua-protocol "https"
end
if %{HEADER:sap-ua-protocol} strcmp "" [AND]
if %{SERVER_PROTOCOL} stricmp https
begin
SetHeader sap-ua-protocol "https"
end
if %{RESPONSE_HEADER:set-cookie} !strcmp "" [AND]
if %{HEADER:sap-ua-protocol} stricmp https [AND]
if %{HEADER:user-agent} regmatch "^Mozilla" [AND]
if %{HEADER:user-agent} !regmatch "(Chrome|Chromium)/[1-6]?[0-9]\." [AND]
if %{HEADER:user-agent} !regmatch "(UCBrowser)/([0-9]|10|11|12)\." [AND]
if %{HEADER:user-agent} !regmatch "\(iP.+; CPU .*OS 12_.*\) AppleWebKit\/" [AND]
if %{HEADER:user-agent} !regmatch "\(Macintosh;.*Mac OS X 10_14.*(Version\/.* Safari.*|AppleWebKit\/[0-9\.]+.*\(KHTML, like Gecko\))$"
begin
RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*)" "$1$2; SameSite=None; Secure"
RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *SameSite=[a-zA-Z]+.*); SameSite=None; Secure" $1$2
RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *Secure.*); Secure" $1$2
end
2. Webdispatcher.ini Parameter
Using HANA Studio, connect to the SYSTEMDB
Navigate to the Configuration -> WebDispatcher -> Profile
Figure 2: HANA Studio, Add Parameter
Add a new System Parameter
Figure 3: Assign Values to System
Change the FILE path as appropriate, to match your rewrite.txt. In my case the HANA SID is HDB.
## Key
icm/HTTP/mod_0
## Value
PREFIX=/, FILE=/hana/shared/<SID>/profile/rewrite.txt
Figure 4: Add icm/HTTP/mod_0 key
3. Restart webdispatcher Service
For this setting to become active we need to restart the Webdispatcher.
This can be easily done by killing the service. It will then restart automatically
Figure 5: Kill the webdispatcher service
Logout and login to your live HANA based SAC story or Analytical Application. All should now be working again 🙂
If not check the
- Chrome Developer Tools Console for errors and or issues.
- Cookies – check to see if any are being blocked
If you don’t have HANA Studio, you can just execute the following SQL statement (on the SYSTEMDB if you’re on a multitenant system):
My <SID> was HXE since I’m using HANA Express.
Then you can stop/start the HANA system as follows:
For me the <instance-number> is 90 since I’m using HANA Express.
Also make sure that rewrite.txt was not written with sudo, or webdispatcher will not be able to read it. If webdispatcher fails to restart, check its trace files (which is located for HANA Express at /usr/sap/HXE/HDB90/hxehost/trace).
Hi,
We were able to fix fix the Chrome SameSite Cookie issue in normal mode by following this blog, but not in Incognito mode, likely because in Incognito Chrome blocks third party cookies by default. Is there a way out for Incognito mode please?
Regards,
Pushpak
Hi Pushpak,
When switching to incognito mode you can specify whether to block third-party cookies or not.
By default, with Chrome 83+ this is now on, if you turn that off then you should be able to connect as before.
Hi Ian,
Thanks for your prompt response, your above blog is very helpful.
Indeed, turning off will allow the form to get submit in Incognito, but change will be on client side. So this means every user should be doing this when they are receiving a email campaign from SAP Marketing which is undesirable. So we want to do it from server side /web dispatcher level (similar to what you've described) so that it is applicable for all users.
Regards,
Pushpak
Hi Pushpak,
I'm not aware that is possible, as it the enhanced browser security that is rejecting this cookie.
This post from Darryl Griffiths really highlights the details of the issue.
https://www.it-implementor.co.uk/2020/08/cookies-sap-analytics-cloud-and-cors-in-netweaver.html
Hey @Ian Henry