With Absence of WebLogic.xml - Secure Setting in Web.xml Doesn't Affect Cookie's Attribute (Doc ID 1941462.1)

Last updated on NOVEMBER 07, 2023

Applies to:

Oracle WebLogic Server - Version 12.1.2.0.0 to 12.1.3.0.0 [Release 12c]
Information in this document applies to any platform.

Symptoms

See also: <Document 1267117.1> How to Secure Cookies on Oracle WebLogic Server

The issue is specific to the cookie-config section in web.xml descriptor when an application does not have a weblogic.xml. The following is not working in web.xml:

<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>

The above setting can be used in web.xml to support http-only and secure settings. From testing the configuration it looks like the changes related to secure cookie settings in web.xml are not taking into effect or being honored. When the same settings are made in weblogic.xml file, the changes are taking place.

Tested with the sample application on WLS 12.1.2 and 12.1.3 version :

Changes

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

With Absence of WebLogic.xml - Secure Setting in Web.xml Doesn't Affect Cookie's Attribute (Doc ID 1941462.1)

Applies to:

Symptoms

Changes

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!