My Oracle Support Banner

How to Set Secure and HTTPOnly Attributes on Cookies Sent from Various Oracle Fusion Middleware Applications (Doc ID 2160221.1)

Last updated on AUGUST 29, 2023

Applies to:

Oracle HTTP Server - Version 10.1.3.5.0 and later
Oracle WebLogic Server - Version 10.3.6 and later
Oracle Fusion Middleware - Version 10.1.3.5.0 and later
Information in this document applies to any platform.

Goal

How to Set Secure and HTTPOnly Attributes on Session Cookies Sent from Various Oracle Fusion Middleware Applications

It may be detected that you are missing a secure attribute in an encrypted session cookie. This document outlines how to set the Secure and HttpOnly attributes to session cookies sent from various Oracle Fusion Middleware applications. Setting cookies are application specific. When using SSL, the secure attribute should be enabled and the HttpOnly attribute should be present. In Oracle environments, there may be a Critical Patch Update to change the default or require a new setting for administrators. Below are common settings or documents for common Oracle Fusion Middleware applications to be used as a reference.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
 How to Set Secure and HTTPOnly Attributes on Session Cookies Sent from Various Oracle Fusion Middleware Applications
Solution
 Overview of Secure and HTTPOnly Attributes on Session Cookie
 Cookie Definitions
 Secure and HttpOnly Attributes
 Oracle WebLogic Server
 Fusion Middleware Control (EM)
 Oracle HTTP Server
 PL/SQL Gateway (OHS/mod_plsql)
 Oracle Containers for Java (OC4J)
 Oracle Web Cache
 Other Products and Issues
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.