Web Cache Removes The Secure Cookie Attribute In the Header (Doc ID 462228.1)

Last updated on NOVEMBER 04, 2016

Applies to:

Web Cache - Version 10.1.2.0.2 to 10.1.2.2.1 [Release AS10gR2]
Information in this document applies to any platform.

Symptoms

The secure cookie attribute is removed when the HTTP request is handled by Web Cache.
The cookies affected include JSESSIONID.

According to the internet protocol standard rfc 2109, the 'secure' attribute may be set for cookies. This directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie. The problem here is that although the 'secure' attribute is set in the header seen from the HTTP  Server, it is missing when the header is checked in the request returned from Web Cache.

Using the Web Cache IOLOGGER or a browser header trace utility confirm the symptoms.

eg 
JSESSIONID=0a9c10b630d551d67440b9cd422db80eb8087f24334a.e34Nb346jAmljGr5XDqQLvpAe;path=/OnDemand; secure
Becomes
JSESSIONID=0a9c10b630d551d67440b9cd422db80eb8087f24334a.e34Nb346jAmljGr5XDqQLvpAe;path=/OnDemand;

There is no problem when the request is direct to the HTTP Server (not involving Web Cache).

The problem can be confirmed as follows using modplsql:

create or replace procedure tar_set_cookie is

p_listener_token VARCHAR2(100) := 'www.horizondemo.com';
p_cookie_name VARCHAR2(100) := 'cookietest';
p_cookie_value varchar2(100) := 'adaasdasdadadasd';

BEGIN
owa_util.mime_header('text/html', FALSE);
htp.p('Expires: Thu, 29 Oct 2000 17:04:19 GMT');
htp.p('Pragma: no-cache');
htp.p('Cache-Control: no-cache');

owa_cookie.send(name => p_cookie_name,
value =>
wwsec_sso_enabler.encrypt_cookie(p_listener_token,p_cookie_value),
secure => 'TRUE');

owa_util.http_header_close;

htp.p('cookie set!');
END tar_set_cookie;
/



Accessing via webcache receive the following response:

HTTP/1.1 200 OK
Expires: Thu, 29 Oct 2000 17:04:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html; charset=WINDOWS-1252
Content-Length: 12
Set-Cookie: cookietest=9A83EDA234CBAA7F007C63FA97CAED2BA69A43E55B0C6F4A7B1424CB0ECD7351
Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Date: Thu, 02 Aug 2007 12:45:11 GMT
X-DB-Content-length: 12

Accessing via HTTP server directly receive the following response:

HTTP/1.1 200 OK
Date: Thu, 02 Aug 2007 12:45:05 GMT
Expires: Thu, 29 Oct 2000 17:04:19 GMT
Pragma: no-cache
Cache-Control: no-cache
X-DB-Content-length: 12
Set-Cookie: cookietest=9A83EDA234CBAA7F007C63FA97CAED2BA69A43E55B0C6F4A7B1424CB0ECD7351;secure
Connection: close
Content-Type: text/html; charset=WINDOWS-1252

Notice that the ;secure tag is missing via web cache.

.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms