CR# 6843487: Access Manager session cookies can be marked as HTTPOnly (Sun Java System Access Manager 7 2005Q4 Release Notes)

Sun Java System Access Manager 7 2005Q4 Release Notes

Previous: CR# 6872718: Persistent XSS attacks are prevented in Access Manager
Next: Access Manager 7 2005Q4 Patch 10

CR# 6843487: Access Manager session cookies can be marked as `HTTPOnly`

Patch 11 includes the new com.sun.identity.cookie.httponly property to allow Access Manager session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can avoid cross site scripting (XSS) attacks.

By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, add it to the AMConfig.properties file with a value of true and then restart the Access Manager web container.

Previous: CR# 6872718: Persistent XSS attacks are prevented in Access Manager
Next: Access Manager 7 2005Q4 Patch 10