Setting up Secure Flag for Cookies

3.1.2 Setting up Secure Flag for Cookies

This topic provides information on setting up secure flag for cookies.

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.

Below configuration has to be ensured in weblogic.xml within the deployed application ear.

Cookies are set with Http only as true
Cookie secure flag set to true
Cookie path to refer to deployed application

<wls: session-descriptor>

<wls: cookie-http-only>true</wls: cookie-http-only>

</wls: session-descriptor>

<wls: session-descriptor>

<wls: cookie-secure>true</wls: cookie-secure>

<wls: url-rewriting-enabled>false</wls: url-rewriting-enabled>

</wls: session-descriptor>

<session-descriptor>

<cookie-name>JSESSIONID</cookie-name>

<cookie-path>/<DeployedApplicationPath></cookie-path>

<cookie-http-only>true</cookie-http-only>

<cookie-secure>true</cookie-secure>

<url-rewriting-enabled>false</url-rewriting-enabled>

</session-descriptor>

Always make sure Cookies are set with always Auth Flag enabled by default for WebLogic server and also recommended to apply the weblogic patch to reflect the above changes.

Parent topic: Securing the Oracle FLEXCUBE Investor Servicing Application