I am trying to set http-only flag for JSESSIONID in Weblogic 10.3
Apparently there was a parameter named cookie-http-only
under session-descriptor
to get this done in Weblogic 9 but this is missing for Weblogic 10.3. Is there any alternative for this?
I read somewhere that in WL 10 HttpOnly flag is set by default but it doesnt seem so in my case. Someone is trying to turn off HttpOnly flag in WL 10.3.5 here
Thanks
content of weblogic.xml
I am using
<wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
<wls:context-root>/</wls:context-root>
<wls:container-descriptor>
<wls:prefer-web-inf-classes>true</wls:prefer-web-inf-classes>
</wls:container-descriptor>
<wls:session-descriptor>
<wls:cookie-secure>true</wls:cookie-secure>
<wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
<wls:cookie-http-only>true</wls:cookie-http-only>
</wls:session-descriptor>
</wls:weblogic-web-app>
It is not missing in later versions of 10.3. It may have been missing from the very first release of 10.3 however.
Check the documentation here for 10.3.6 to see that it is indeed there:
http://docs.oracle.com/cd/E23943_01/web.1111/e13712/weblogic_xml.htm#i1071981
I would recommend grabbing the latest and greatest patch for 10.3.