JSESSIONID HttpOnly in Weblogic 10.3
Question
I am trying to set http-only flag for JSESSIONID in Weblogic 10.3
Apparently there was a parameter named cookie-http-only under session-descriptor to get this done in Weblogic 9 but this is missing for Weblogic 10.3 . Is there any alternative for this?
I read somewhere that in WL 10 HttpOnly flag is set by default but it doesnt seem so in my case. Someone is trying to turn off HttpOnly flag in WL 10.3.5 here
Thanks
content of weblogic.xml I am using
<wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
<wls:context-root>/</wls:context-root>
<wls:container-descriptor>
<wls:prefer-web-inf-classes>true</wls:prefer-web-inf-classes>
</wls:container-descriptor>
<wls:session-descriptor>
<wls:cookie-secure>true</wls:cookie-secure>
<wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
<wls:cookie-http-only>true</wls:cookie-http-only>
</wls:session-descriptor>
</wls:weblogic-web-app>
1 answers
solution1
3 2014-06-11 15:47:31
It is not missing in later versions of 10.3. It may have been missing from the very first release of 10.3 however.
Check the documentation here for 10.3.6 to see that it is indeed there:
http://docs.oracle.com/cd/E23943_01/web.1111/e13712/weblogic_xml.htm#i1071981
I would recommend grabbing the latest and greatest patch for 10.3.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.