How to set up secure cookie on weblogic server
Posted
by adejuanc
on Oracle Blogs
See other posts from Oracle Blogs
or by adejuanc
Published on Tue, 9 Oct 2012 21:51:18 +0000
Indexed on
2012/10/10
3:46 UTC
Read the original article
Hit count: 447
/Oracle
<WebServer Name="myserver" AuthCookieEnabled="true"/>
Setting AuthCookieEnabled to true, which is the default setting, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection. Once the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser.
Thus, WebLogic Server uses two cookies: the JSESSIONID cookie and the _WL_AUTHCOOKIE_JSESSIONID cookie. By default, the JSESSIONID cookie is never secure, but the _WL_AUTHCOOKIE_JSESSIONID cookie is always secure. A secure cookie is only sent when an encrypted communication channel is in use. Assuming a standard HTTPS login (HTTPS is an encrypted HTTP connection), your browser gets both cookies.
For subsequent HTTP access, you are considered authenticated if you have a valid JSESSIONID cookie, but for HTTPS access, you must have both cookies to be considered authenticated. If you only have the JSESSIONID cookie, you must re-authenticate.
To configure on Admin Console :
- Log into WebLogic Admin Console.
- Under Domain Structure, press click on <domainname>
- Select the "Web Applications" tab
- Select "Lock and Edit" in change center.
- Click on "Auth Cookie Enabled" checkbox.
- Restart to confirm changes.
- Test an application and view the cookie which got stored as "JSESSIONID"
To Configure the Web application's weblogic-application.xml file:
- Run the following to extract the file from the web application's weblogic-application.xml: $PATH_JDK_HOME\binjar -xvf easy-web-examples.ear META-INF/weblogic-application.xml
- Add <cookie-secure>true</cookie-secure> between <session-descriptor> </session-descriptor> to the weblogic-application.xml.
- Run the following to repackage the file to the application: $PATH_JDK_HOME\bin\jar -uvf easy-web-examples.ear META-INF/weblogic-application.xml
- Deploy the application into WebLogic
For further information, please read the documentation on "Using Secure Cookies to Prevent Session Stealing " :
© Oracle Blogs or respective owner