Web Cache Removes The Secure Cookie Attribute In the Header (Doc ID 462228.1)

Last updated on MAY 01, 2023

Applies to:

Symptoms

The secure cookie attribute is removed when the HTTP request is handled by Web Cache.
The cookies affected include JSESSIONID.

According to the internet protocol standard rfc 2109, the 'secure' attribute may be set for cookies. This directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie. The problem here is that although the 'secure' attribute is set in the header seen from the HTTP  Server, it is missing when the header is checked in the request returned from Web Cache.

Using the Web Cache IOLOGGER or a browser header trace utility confirm the symptoms.

eg 
JSESSIONID=<JSESSION_ID>;path=/OnDemand; secure
Becomes
JSESSIONID=<JSESSION_ID>;path=/OnDemand;

There is no problem when the request is direct to the HTTP Server (not involving Web Cache).

Accessing via webcache receive the following response:

HTTP/1.1 200 OK
Expires: Thu, 29 Oct 2000 17:04:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html; charset=WINDOWS-1252
Content-Length: 12
Set-Cookie: <cookie>
Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Date: Thu, 02 Aug 2007 12:45:11 GMT
X-DB-Content-length: 12

Accessing via HTTP server directly receive the following response:

HTTP/1.1 200 OK
Date: Thu, 02 Aug 2007 12:45:05 GMT
Expires: Thu, 29 Oct 2000 17:04:19 GMT
Pragma: no-cache
Cache-Control: no-cache
X-DB-Content-length: 12
Set-Cookie: <cookie>
Connection: close
Content-Type: text/html; charset=WINDOWS-1252

Notice that the ;secure tag is missing via web cache.

.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.