My Oracle Support Banner

Web Cache Removes The Secure Cookie Attribute In the Header (Doc ID 462228.1)

Last updated on MARCH 23, 2020

Applies to:

Web Cache - Version to [Release AS10gR2]
Information in this document applies to any platform.


The secure cookie attribute is removed when the HTTP request is handled by Web Cache.
The cookies affected include JSESSIONID.

According to the internet protocol standard rfc 2109, the 'secure' attribute may be set for cookies. This directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie. The problem here is that although the 'secure' attribute is set in the header seen from the HTTP  Server, it is missing when the header is checked in the request returned from Web Cache.

Using the Web Cache IOLOGGER or a browser header trace utility confirm the symptoms.

JSESSIONID=<JSESSION_ID>;path=/OnDemand; secure

There is no problem when the request is direct to the HTTP Server (not involving Web Cache).

The problem can be confirmed as follows using modplsql:

create or replace procedure tar_set_cookie is

p_listener_token VARCHAR2(100) := '<hostname>';
p_cookie_name VARCHAR2(100) := 'cookietest';
p_cookie_value varchar2(100) := 'adaasdasdadadasd';

owa_util.mime_header('text/html', FALSE);
htp.p('Expires: Thu, 29 Oct 2000 17:04:19 GMT');
htp.p('Pragma: no-cache');
htp.p('Cache-Control: no-cache');

owa_cookie.send(name => p_cookie_name,
value =>
secure => 'TRUE');


htp.p('cookie set!');
END tar_set_cookie;

Accessing via webcache receive the following response:

HTTP/1.1 200 OK
Expires: Thu, 29 Oct 2000 17:04:19 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html; charset=WINDOWS-1252
Content-Length: 12
Set-Cookie: <cookie>
Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Date: Thu, 02 Aug 2007 12:45:11 GMT
X-DB-Content-length: 12

Accessing via HTTP server directly receive the following response:

HTTP/1.1 200 OK
Date: Thu, 02 Aug 2007 12:45:05 GMT
Expires: Thu, 29 Oct 2000 17:04:19 GMT
Pragma: no-cache
Cache-Control: no-cache
X-DB-Content-length: 12
Set-Cookie: <cookie>
Connection: close
Content-Type: text/html; charset=WINDOWS-1252

Notice that the ;secure tag is missing via web cache.



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.