SAP Knowledge Base Article - Preview

2353999 - Security Scan Shows "Session Identifier Not Updated" Risk


You are using third party security scan application to check a EP system and it reports issue "Session Identifier Not Updated" as a risk. The text may look like below.

Security Risks : Session Identifier Not Updated

Risk(s): It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.

Fix: Change session identifier values after login



NetWeaver AS Java all releases


SAP NetWeaver all versions


Session Identifier, security risk, security vulnerability, JSESSIONID, JSESSIONMARKID, SessionIdRegenerationEnabled , KBA , BC-JAS-WEB , Web Container, HTTP, JavaMail, Servlets , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.