http://stackoverflow.com/questions/9193112/secure-and-httponly-flags-for-session-cookie-websphere-7
To set Secure flag to JSESSIONID cookie (same for WebSphere 7.x and 8.x):
- log in log in WebSphere admin console
- Navigate to Server > Server types > WebSphere application servers
- Click on server name (default is server1)
- Click on link Web Container settings > Web Container
- Click on link Session Management
- Click on link Enable Cookies. This bit a litle bit confusing, you have to click on text not on the check box
- select option (check box) Restrict cookies to HTTPS sessions
- Save changes
To set HttpOnly flag in WebSphere 8.x to JSESSIONID cookie
- log in log in WebSphere admin console
- Navigate to Server > Server types > WebSphere application servers
- Click on server name (default is server1)
- Click on link Web Container settings > Web Container
- Click on link Session Management
- Click on link Enable Cookies. This bit a litle bit confusing, you have to click on text not on the check box
- select option (check box) Set session cookies to HTTPOnly to help prevent cross-site scripting attacks
- Save changes
To set HttpOnly flag in WebSphere 7.x to JSESSIONID cookie
- log in log in WebSphere admin console
- Navigate to Server > Server types > WebSphere application servers
- Click on server name (default is server1)
- Click on link Web Container settings > Web Container
- Click on link Custom Proprties
- Click on button New
- Enter name: com.ibm.ws.webcontainer.httpOnlyCookies value:* (HttpOnly will be set on all cookies not only JSESSIONID)
- Click on OK button
- Save changes
|
0 people found this article useful
0 people found this article useful