Register Login

ICF_SYSTEM_LOGIN 402/ 403, ICF System Issue

Updated May 18, 2018

ICF System Issue login Error, Login fails and Logon Cookie

System issues one of the following error messages and system logon fails.

"Logon with URL parameter not possible; logon cookie is missing" (message number: ICF_SYSTEM_LOGIN 402)


"Logon cookie check failed; repeat logon" (message number: ICF_SYSTEM_LOGIN 403)
Following points could be the reason for getting the above issue:

When a logon cookie is issued in addition during the system logon for security reasons. The error messages ICF_SYSTEM_LOGIN 402 and ICF_SYSTEM_LOGIN 403 indicate a problem with this logon cookie.

Possible reason for the error: Error message ICF_SYSTEM_LOGIN 402 "Logon with URL parameter not possible; logon cookie is missing"

  • You specified the parameters sap-user and sap-password in the URL. The system ignored the parameters and issued the error message. Due to the XSRF protection, the parameters can be sent to the system only from the logon screen.
  • The logon cookie is not transferred for technical reasons (for example, the logon cookie is transferred only using the HTTPS protocol). In this error situation, the system often issues the following additional error message: "Logon through HTTP is not possible; logon ticket is active for HTTPS only" (message ICF_SYSTEM_LOGIN 002). Check the setting of the kernel parameter login/ticket_only_by_https.

Possible reason for the error: Error message ICF_SYSTEM_LOGIN 403 "Logon cookie check failed; repeat logon"

  • You have opened two browser windows and called the logon screen of the same system in both windows. You then enter the user and password on the first screen and submit the screen; the system issues the error message. The logon cookie of the second screen overwrites the logon cookie of the first screen in the browser. When you submit the first screen, the system now sends the logon cookie of the second screen and the check of the cookie in the back end fails. Do not open two logon windows for the same system at the same time. If you want to connect to the same system twice, call the logon screens one after the other.
  • You activated the "Content Advisor". (For example, in Internet Explorer (IE): you choose "Tools -> Internet Options" and go to the "Content" tab.) If the Content Advisor is active, due to a (probably runtime-dependent) response from IE, the system calls the logon page twice and the logon cookie is overwritten. When you submit the logon, the error message then occurs. 

If you cannot deactivate the Content Advisor, your only option is to deactivate the XSRF protection as described in the solution. This problem occurs frequently when logging on to SAP Business ByDesign systems. We are in contact with the browser manufacturers to solve this problem.
Follow the below steps:

  • Set the logon cookie according to your requirements.
  • Activate or deactivate the logon cookie

You can configure whether the logon cookie is to be used and you can activate or deactivate it in the service settings. The default value depends on your release. The configuration switch is provided in transaction SICF. To access it, double-click a service to call the service settings and choose the "Error Pages" tab. On the "Logon Errors" tab page, choose the "Configuration" pushbutton for the system logon. In the system logon settings, set the "Deactivate Login XSRF Protection" indicator accordingly.