Set up Secure Flag for Cookies

4.3.4.10 Set up Secure Flag for Cookies

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.

Below configuration has to be ensured in weblogic.xml within the deployed application ear.

Cookies are set with Http only as true.
Cookie secure flag set to true.

Cookie path to refer to deployed application.

<wls: session-descriptor>
        <wls: cookie-http-only>true</wls: cookie-http-only>
</wls: session-descriptor>
<wls: session-descriptor>
        <wls: cookie-secure>true</wls: cookie-secure>
<wls: url-rewriting-enabled>false</wls: url-rewriting-enabled>
</wls: session-descriptor>
<session-descriptor>
        <cookie-name>JSESSIONID</cookie-name>        
        <cookie-path>/<DeployedApplicationPath></cookie-path>
        <cookie-http-only>true</cookie-http-only>
        <cookie-secure>true</cookie-secure>
        <url-rewriting-enabled>false</url-rewriting-enabled>
</session-descriptor>

Always make sure Cookies are set with always Auth Flag enabled by default for WebLogic server and also recommended to apply the weblogic patch 10.3.5 for versions using below weblogic 10.3.5 to reflect the above changes.

Parent topic: Secure the WebLogic Security Service