This release introduces an' attribute to all application cookies following the Oracle Secure By Default policy. This feature encourages the use of HTTPS for running the application by default. This can be turned off by setting com.oracle.ouaf.web.disableSecureCookie=true, however this is not recommended. Refer to Doc ID 2833998.1 on My Oracle Support for more information.

This release introduces HttpOnly for cookies that are not added/modified in JavaScript.