Secure and HttpOnly flags for session cookie Websphere 7, 8.*

http://stackoverflow.com/questions/9193112/secure-and-httponly-flags-for-session-cookie-websphere-7

To set Secure flag to JSESSIONID cookie (same for WebSphere 7.x and 8.x):

  • log in log in WebSphere admin console
  • Navigate to Server > Server types > WebSphere application servers
  • Click on server name (default is server1)
  • Click on link Web Container settings > Web Container
  • Click on link Session Management
  • Click on link Enable Cookies. This bit a litle bit confusing, you have to click on text not on the check box
  • select option (check box) Restrict cookies to HTTPS sessions
  • Save changes

To set HttpOnly flag in WebSphere 8.x to JSESSIONID cookie

  • log in log in WebSphere admin console
  • Navigate to Server > Server types > WebSphere application servers
  • Click on server name (default is server1)
  • Click on link Web Container settings > Web Container
  • Click on link Session Management
  • Click on link Enable Cookies. This bit a litle bit confusing, you have to click on text not on the check box
  • select option (check box) Set session cookies to HTTPOnly to help prevent cross-site scripting attacks
  • Save changes

To set HttpOnly flag in WebSphere 7.x to JSESSIONID cookie

  • log in log in WebSphere admin console
  • Navigate to Server > Server types > WebSphere application servers
  • Click on server name (default is server1)
  • Click on link Web Container settings > Web Container
  • Click on link Custom Proprties
  • Click on button New
  • Enter name: com.ibm.ws.webcontainer.httpOnlyCookies value:* (HttpOnly will be set on all cookies not only JSESSIONID)
  • Click on OK button
  • Save changes

Viet Luu has written 152 articles

Leave a Reply