My Oracle Support Banner

With Absence of WebLogic.xml - Secure Setting in Web.xml Doesn't Affect Cookie's Attribute (Doc ID 1941462.1)

Last updated on FEBRUARY 27, 2019

Applies to:

Oracle WebLogic Server - Version 12.1.2.0.0 to 12.1.3.0.0 [Release 12c]
Information in this document applies to any platform.

Symptoms

See also: <Document 1267117.1> How to Secure Cookies on Oracle WebLogic Server

The issue is specific to the cookie-config section in web.xml descriptor when an application does not have a weblogic.xml.  The following is not working in web.xml:

<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>

  
The above setting can be used in web.xml to support http-only and secure settings. From testing the configuration it looks like the changes related to secure cookie settings in web.xml are not taking into effect or being honored. When the same settings are made in weblogic.xml file, the changes are taking place.

Tested with the sample application on WLS 12.1.2 and 12.1.3 version :

 

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.