With Absence of WebLogic.xml - Secure Setting in Web.xml Doesn't Affect Cookie's Attribute
Last updated on APRIL 12, 2018
Applies to:Oracle WebLogic Server - Version 220.127.116.11.0 to 18.104.22.168.0 [Release 12c]
Information in this document applies to any platform.
See also: <Note 1267117.1> How to Secure Cookies on Oracle WebLogic Server
The issue is specific to the cookie-config section in web.xml descriptor when an application does not have a weblogic.xml. The following is not working in web.xml:
The above setting can be used in web.xml to support http-only and secure settings. From testing the configuration it looks like the changes related to secure cookie settings in web.xml are not taking into effect or being honored. When the same settings are made in weblogic.xml file, the changes are taking place.
Tested with the sample application on WLS 12.1.2 and 12.1.3 version :
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms