My Oracle Support Banner

Http Only and Secure Cookie Flag not Working in OHS (Doc ID 2803996.1)

Last updated on SEPTEMBER 09, 2021

Applies to:

Oracle HTTP Server - Version 12.2.1.3.0 and later
Information in this document applies to any platform.

Symptoms

It was found from using the Web Browser's Developer Tools, that the "HttpOnly" and "Secure" flags were not set for a Session Cookie called JSESSIONID. This was seen even though the httpd.conf and weblogic.xml were configured to ensure these were set for the cookies being set and passed by WebLogic Server and OHS.

This issue can be reproduced by the following steps:

1) Open the Developer Tools plugin to the browser.

2) Check the HTTP Headers and find that HttpOnly and Secure are unchecked for a cookie named JSESSIONID. Note that the flags are checked for other Session cookies.

Changes

In this case the following document was referred - How to Set Secure and HTTPOnly Attributes on Cookies Sent from Various Oracle Fusion Middleware Applications (Doc ID 2160221.1)

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.