My Oracle Support Banner

Insecure Cookie Configuration: Secure Flag JSESSION ID Documaker (Doc ID 2706881.1)

Last updated on SEPTEMBER 02, 2020

Applies to:

Oracle Documaker - Version 12.2 and later
Information in this document applies to any platform.


The reported issue is JSESSIONID and based on the doc ID, support says application make two cookies one is JSESSION ID and _WL_AUTHCOOKIE_JSESSIONID. As per support update this is something like one is secure and other is not and all https communication will work only with the _WL_AUTHCOOKIE_JSESSIONID cookie. Please find the doc ID below.

Secure Flags Were Not Set To "Secure" When Creating Session Cookies. (Doc ID 1677578.1)


The application sends session tokens as query string parameters in the URL. URLs may end up being recorded at several points including the user’s browser history, bookmarks, server logs, intermediate proxies, etc. The risk of disclosure to third parties via the HTTP Referer header or by the user copying the URL and pasting it should also be considered.
For example, the application sends the session identifier as a query string parameter in the following URLs:

If an adversary is able to intercept a session token, they can use it to gain unauthorized access to the application and hijack the victim’s session."


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.