My Oracle Support Banner

Setting Cookie-Http-Only On Weblogic Server 8.1-10.3.0 (Doc ID 1223074.1)

Last updated on MAY 23, 2022

Applies to:

Oracle WebLogic Server - Version 8.1 to 10.3
Information in this document applies to any platform.


Cookie-Http-Only: When this element is set to true, all session cookies would be unavailable to the browser scripts. When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden. This is a very important implementation for security purposes.

Enable the cookie-http-only=true which is not possible through the xsd schema for Weblogic Server 10.3

An error is thrown when this parameter is set in the weblogic-application.xml:

The feature cookie-http-only is by default not available for weblogic 10.3 GA. It is only available for WLS 11g and further versions as a security fix has been made to WLS 10.3.1 such that JSESSIONID cookie is set as a HttpOnly cookie.




To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.