With Absence of WebLogic.xml - Secure Setting in Web.xml Doesn't Affect Cookie's Attribute

(Doc ID 1941462.1)

Last updated on APRIL 12, 2018

Applies to:

Oracle WebLogic Server - Version 12.1.2.0.0 to 12.1.3.0.0 [Release 12c]
Information in this document applies to any platform.

Symptoms

See also: <Note 1267117.1> How to Secure Cookies on Oracle WebLogic Server

The issue is specific to the cookie-config section in web.xml descriptor when an application does not have a weblogic.xml.  The following is not working in web.xml:

<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>

  
The above setting can be used in web.xml to support http-only and secure settings. From testing the configuration it looks like the changes related to secure cookie settings in web.xml are not taking into effect or being honored. When the same settings are made in weblogic.xml file, the changes are taking place.

Tested with the sample application on WLS 12.1.2 and 12.1.3 version :

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms