Skip to Content
Technical Articles

How to fix Google Chrome SameSite Cookie issue with SAC and HANA XS

In this blogpost I will describe the steps to fix the Chrome SameSite Cookie issue that can occur with HANA using the XS Engine on premise.

I am using Google Chrome 84 and the SameSite Cookie change has come into effect, which prevented a number of my dashboards from rendering.

The impact of this is that you maybe your SAC dashboards aren’t loading, perhaps you’re seeing these error messages.

Http Status: 403 Forbidden

Error Protocol (#50) Cannot fetch csrf token from server

 

Chrome Developer Tools has a new “Issues” tab where we can identify these problems.

Figure 1: Chrome Developer Tools, Issues

Samesite cookies have been expertly explained by Dong Pan in detail here.
https://www.sapanalytics.cloud/direct-live-connections-in-sap-analytics-cloud-and-samesite-cookies/

In this blog post I have captured only the steps required for SAC Live Connections to SAP HANA 1.x or 2.x using the XS engine.

1. Create rewrite.txt

This file resides on the HANA filesystem, it should be in somewhere accessible to the HDBADM or equivalent user. Recommended location would be here

/hana/shared/HDB/profile/rewrite.txt

The contents of the file is as follows

SetHeader sap-ua-protocol ""
if %{HEADER:clientprotocol} stricmp http [OR]
if %{HEADER:x-forwarded-proto} stricmp http [OR]
if %{HEADER:forwarded} regimatch proto=http

begin
    SetHeader sap-ua-protocol "http"
end

if %{HEADER:clientprotocol} stricmp https [OR]
if %{HEADER:x-forwarded-proto} stricmp https [OR]
if %{HEADER:forwarded} regimatch proto=https

begin
    SetHeader sap-ua-protocol "https"
end

if %{HEADER:sap-ua-protocol} strcmp "" [AND]
if %{SERVER_PROTOCOL} stricmp https

begin
    SetHeader sap-ua-protocol "https"
end

if %{RESPONSE_HEADER:set-cookie} !strcmp "" [AND]
if %{HEADER:sap-ua-protocol} stricmp https [AND]
if %{HEADER:user-agent} regmatch "^Mozilla" [AND]
if %{HEADER:user-agent} !regmatch "(Chrome|Chromium)/[1-6]?[0-9]\." [AND]
if %{HEADER:user-agent} !regmatch "(UCBrowser)/([0-9]|10|11|12)\." [AND]
if %{HEADER:user-agent} !regmatch "\(iP.+; CPU .*OS 12_.*\) AppleWebKit\/" [AND]
if %{HEADER:user-agent} !regmatch "\(Macintosh;.*Mac OS X 10_14.*(Version\/.* Safari.*|AppleWebKit\/[0-9\.]+.*\(KHTML, like Gecko\))$"

begin
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*)" "$1$2; SameSite=None; Secure"
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *SameSite=[a-zA-Z]+.*); SameSite=None; Secure" $1$2
    RegIRewriteResponseHeader set-cookie "^([^=]+)(=.*; *Secure.*); Secure" $1$2
end

 

2. Webdispatcher.ini Parameter

Using HANA Studio, connect to the SYSTEMDB

Navigate to the Configuration -> WebDispatcher -> Profile

Figure%20x%3A%20Webdispatcher.ini

Figure 2: HANA Studio, Add Parameter

Add a new System Parameter

Figure%20x%3A%20Add

Figure 3: Assign Values to System

Change the FILE path as appropriate, to match your rewrite.txt. In my case the HANA SID is HDB.

## Key
icm/HTTP/mod_0

## Value
PREFIX=/, FILE=/hana/shared/<SID>/profile/rewrite.txt

Figure%20x%3A%20Add%20System%20Parameter

Figure 4: Add icm/HTTP/mod_0 key

 

3. Restart webdispatcher Service

For this setting to become active we need to restart the Webdispatcher.
This can be easily done by killing the service. It will then restart automatically

Figure%20x%3A%20Kill%20webdispatcher

Figure 5: Kill the webdispatcher service

Logout and login to your live HANA based SAC story or Analytical Application. All should now be working again 🙂

If not check the

  • Chrome Developer Tools Console for errors and or issues.
  • Cookies – check to see if any are being blocked
1 Comment
You must be Logged on to comment or reply to a post.
  • If you don’t have HANA Studio, you can just execute the following SQL statement (on the SYSTEMDB if you’re on a multitenant system):

    ALTER SYSTEM ALTER CONFIGURATION ('webdispatcher.ini','system') 
    SET ('profile','icm/HTTP/mod_0') = 'PREFIX=/, FILE=/hana/shared/<SID>/profile/rewrite.txt' 
    WITH RECONFIGURE;

    My <SID> was HXE since I’m using HANA Express.

    Then you can stop/start the HANA system as follows:

    1. /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function Stop
    2. Wait for everything to have Stopped.  (See status with /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function GetProcessList)
    3. /usr/sap/hostctrl/exe/sapcontrol -nr <instance-number> -function Start

    For me the <instance-number> is 90 since I’m using HANA Express.

    Also make sure that rewrite.txt was not written with sudo, or webdispatcher will not be able to read it.  If webdispatcher fails to restart, check its trace files (which is located for HANA Express at /usr/sap/HXE/HDB90/hxehost/trace).