JSESSIONID HttpOnly in Weblogic 10.3

mzzzzb picture mzzzzb · Jun 11, 2014 · Viewed 8.7k times · Source

I am trying to set http-only flag for JSESSIONID in Weblogic 10.3

Apparently there was a parameter named cookie-http-only under session-descriptor to get this done in Weblogic 9 but this is missing for Weblogic 10.3. Is there any alternative for this?

I read somewhere that in WL 10 HttpOnly flag is set by default but it doesnt seem so in my case. Someone is trying to turn off HttpOnly flag in WL 10.3.5 here

Thanks

content of weblogic.xml I am using

<wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
  <wls:context-root>/</wls:context-root>
  <wls:container-descriptor>
    <wls:prefer-web-inf-classes>true</wls:prefer-web-inf-classes>
  </wls:container-descriptor>
  <wls:session-descriptor>
    <wls:cookie-secure>true</wls:cookie-secure>
    <wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
    <wls:cookie-http-only>true</wls:cookie-http-only>
  </wls:session-descriptor>
</wls:weblogic-web-app>

Answer

Display Name is missing picture Display Name is missing · Jun 11, 2014

It is not missing in later versions of 10.3. It may have been missing from the very first release of 10.3 however.

https://serverfault.com/questions/151107/http-only-cookies-in-weblogic-what-versions-support-them-how-and-why-are-they-s

Check the documentation here for 10.3.6 to see that it is indeed there:

http://docs.oracle.com/cd/E23943_01/web.1111/e13712/weblogic_xml.htm#i1071981

I would recommend grabbing the latest and greatest patch for 10.3.