Securing Cookies on Weblogic Server

HTTPOnly

HTTPOnly flag is used to prevent Client side scripts to read the cookies (provided the Browser Supports it). By Default Cookie is set to HTTP Only in 11g, so when we try to read the cookies from a JAVA Script, we wont be able to read it.

Some applications dont work if the cookie is set to HTTPOnly, it can be disabled by adding the following in Session Descriptor.

<cookie-http-only>false</cookie-http-only>

Cooke Secure
When we enable cookie secure, we the cookie is sent over a secure connection.
So while using this feaure we should ensure that the application is acessible over SSL.
It can be enabled by adding the following in the session-descriptor. Note url-rewriting should be disabled.

<session-descriptor>
<cookie-secure >true</cookie-secure >
<url-rewriting-enabled>true</url-rewriting-enabled>
</session-descriptor >

WL AuthCookie.

When any secure resource is accessed over SSL, Weblogic Server adds another cookie named _WL_AUTHCOOKIE_JSESSIONID_ to the header for greater security. One must send both, the jsessionid and wl authcookie for all secure reources which are accessed over SSL. If wl authcookie is missing then one has to authenticate again.  The wl authcookie is sent encrypted over the network which makes it so secure.

It is enabled by default. To disable it, we need to add AuthCookieEnabled=”true” in the WebServer element in the config.xml

<WebServer Name=”myserver” AuthCookieEnabled=”true”/>

References :-

http://www.owasp.org/index.php/HttpOnly
http://download.oracle.com/docs/cd/E13222_01/wls/docs100/security/thin_client.html

2 comments

  1. The code examples seem flawed is two places.

    To disable url-rewriting the code should be:
    false

    To disable AuthCookieEnabled, the code should be:

    Am I missing something?

Comments are closed.