Web Session Cookie Contains HttpOnly Attribute After Oracle iPlanet Web Server 7.0.9 Update
Last updated on NOVEMBER 05, 2016
Applies to:Oracle iPlanet Web Server - Version 7.0 and later
Information in this document applies to any platform.
***Checked for relevance on 02-Jul-2014***
This document describes the change to the iPlanet Web Server Java session cookie implemented from iPlanet Web Server 7.0 update 9 onwards. This document also describes how to disable the HttpOnly attribute from the session cookie.
In Web Server 7.0 Update 9 and later, Java web applications session cookies now have the HttpOnly attribute added by default. Looking at the raw HTTP header response, the new session cookie will look like this:
Date: Mon, 18 Apr 2011 01:31:02 GMT
Set-cookie: JSESSIONID=41D8404612A55226D63BB69782CD8DCA; Path=/ ; HttpOnly
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms