Web Session Cookie Contains HttpOnly Attribute After Oracle iPlanet Web Server 7.0.9 Update (Doc ID 1314365.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle iPlanet Web Server - Version 7.0 and later
Information in this document applies to any platform.
***Checked for relevance on 02-Jul-2014***

Goal

This document describes the change to the iPlanet Web Server Java session cookie implemented from iPlanet Web Server 7.0 update 9 onwards.  This document also describes how to disable the HttpOnly attribute from the session cookie.

In Web Server 7.0 Update 9 and later, Java web applications session cookies now have the HttpOnly attribute added by default. Looking at the raw HTTP header response, the new session cookie will look like this:

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Mon, 18 Apr 2011 01:31:02 GMT
Content-type: text/html;charset=ISO-8859-1
Content-length: 2
Set-cookie: JSESSIONID=41D8404612A55226D63BB69782CD8DCA; Path=/ ; HttpOnly


When HttpOnly session attribute is included in the session cookie, it tells browsers that support this attribute not to allow client side scripts, such as Javascript,  to access this particular cookie.  Currently, the HttpOnly attribute is always tagged to the web session cookie in iPlanet Web Server 7.0 Update 9 and later and there is no built in option to selectively disable this.

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms