My Oracle Support Banner

Http Only and Secure Cookie Flag not Working in OHS (Doc ID 2803996.1)

Last updated on MARCH 19, 2024

Applies to:

Oracle HTTP Server - Version and later
Information in this document applies to any platform.


It was found from using the Web Browser's Developer Tools, that the "HttpOnly" and "Secure" flags were not set for a Session Cookie called JSESSIONID. This was seen even though the httpd.conf and weblogic.xml were configured to ensure these were set for the cookies being set and passed by WebLogic Server and OHS.

This issue can be reproduced by the following steps:

1) Open the Developer Tools plugin to the browser.

2) Check the HTTP Headers and find that HttpOnly and Secure are unchecked for a cookie named JSESSIONID. Note that the flags are checked for other Session cookies.


In this case the following document was referred - How to Set Secure and HTTPOnly Attributes on Cookies Sent from Various Oracle Fusion Middleware Applications (Doc ID 2160221.1)


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.