Cookie contains sensitive information like session ID which is stored on the client. The cookie is sent with every request from client to server to maintain a valid authenticated session. Cookies can be secured by properly setting cookie attributes. The following two attributes must be set to secure a cookie.

1. Secure: This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS.
2. HttpOnly: This attribute is used to help prevent attacks such as cross-site scripting, since it does not allow the cookie to be accessed via a client side script such as JavaScript.

Set these attributes in the WebLogic deployment descriptor file (weblogic.xml). The following attributes need to be included in

<wls:session-descriptor>

<wls:cookie-secure>true</wls:cookie-secure>

<wls:cookie-http-only>true</wls:cookie-http-only>