Turn on the HttpOnly flag for session cookies within Oracle WebLogic Server for the Oracle Empirica Signal software

Using the HttpOnly, Secure, and SameSite flags when generating a cookie helps mitigate the risk of a client-side script accessing the protected cookie and the cookie.

Perform these steps on the application server to turn on the HttpOnly, Secure, and SameSite flags for session cookies:

  1. Navigate to the <INSTALL_DIR>/Signal/WEB-INF directory.
  2. Open the weblogic.xml file, and locate the <session-descriptor> section.
  3. If the section does not contain the following elements, add the elements:
    • <wls:cookie-http-only>true</wls:cookie-http-only>
    • <wls:cookie-secure>true</wls:cookie-secure>
  4. If the section does not contain the following elements, add the elements. Oracle recommends setting it to at least LAX, which is the default value. For example:

    <wls:cookie-path>/;SameSite=LAX</wls:cookie-path>

Parent topic: Installing and configuring the Oracle Empirica Signal software