This discussion is archived
5 Replies Latest reply: Nov 28, 2012 12:38 AM by user116837 RSS

How to set JSESSION ID as secure in Weblogic 10.3.5.0

952599 Newbie
Currently Being Moderated
Hi,

I wanted to set my cookies secure, I am trying to make jsesion Id cookie also secure.

We are using Weblogic 10.3.5.0, For all other cookies we set, cookies.setSecure(true) while creating the cookie itself as per Servlet API.

But for JSession Id, i am not able to set it to secure true. I tried setting cookies-secure flag to true, but it didnot worded out for me.

If any body knows how to set JsessionId cookie secure in Weblogic 10.3.5.0, Please let me know.

Thanks in advance....

Edited by: 949596 on Aug 28, 2012 3:24 AM
  • 1. Re: How to set JSESSION ID as secure in Weblogic 10.3.5.0
    RenévanWijk Oracle ACE
    Currently Being Moderated
    From the documentation (http://docs.oracle.com/cd/E17904_01/web.1111/e13711/thin_client.htm#SCPRG139) it looks like it is the default setting:

    "Setting AuthCookieEnabled to true, which is the default setting, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection. Once the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser."
  • 2. Re: How to set JSESSION ID as secure in Weblogic 10.3.5.0
    952599 Newbie
    Currently Being Moderated
    Hey Thanks for your reply.

    But i have tried in the following ways :

    <WebServer Name="myserver" AuthCookieEnabled="true"/>

    and also like the below

    <WebServer>
              <AuthCookieEnabled>true</AuthCookieEnabled>
         </WebServer>

    When add these code snippet in config.xml, web-logic start is failing. Server is getting failed to start.

    I am worried is this code works for Weblogic 10.3.5.0 version.

    Please reply me if any body already have solution for the same. Thanks....
  • 3. Re: How to set JSESSION ID as secure in Weblogic 10.3.5.0
    Faisal Khan Expert
    Currently Being Moderated
    You can refer this

    http://weblogic-wonders.com/weblogic/2010/07/09/securing-cookies-on-weblogic-server/
  • 4. Re: How to set JSESSION ID as secure in Weblogic 10.3.5.0
    RenévanWijk Oracle ACE
    Currently Being Moderated
    Looks like you are right that it does not work for WebLogic 10.3.5 (as the documentation shows: http://docs.oracle.com/cd/E21764_01/web.1111/e13711/thin_client.htm#i1053779)

    To see how you have to configure it correctly, you have consult the domain.xsd file (http://xmlns.oracle.com/weblogic/1.0/domain.xsd):
    <xs:complexType name="web-serverType">
        <xs:complexContent>
          <xs:extension base="dom:deploymentType">
            <xs:sequence>
              <xs:element minOccurs="0" name="web-server-log" nillable="true" type="dom:web-server-logType"></xs:element>
              <xs:element minOccurs="0" name="frontend-host" nillable="true" type="xs:string"></xs:element>
              <xs:element default="0" minOccurs="0" name="frontend-http-port" nillable="false" type="xs:int"></xs:element>
              <xs:element default="0" minOccurs="0" name="frontend-https-port" nillable="false" type="xs:int"></xs:element>
              <xs:element default="503" minOccurs="0" name="overload-response-code" nillable="false"></xs:element>
              <xs:element default="true" minOccurs="0" name="keep-alive-enabled" nillable="false" type="xs:boolean"></xs:element>
              <xs:element default="30" minOccurs="0" name="keep-alive-secs" nillable="false"></xs:element>
              <xs:element default="60" minOccurs="0" name="https-keep-alive-secs" nillable="false"></xs:element>
              <xs:element default="30" minOccurs="0" name="post-timeout-secs" nillable="false"></xs:element>
              <xs:element default="-1" minOccurs="0" name="max-post-time-secs" nillable="false" type="xs:int"></xs:element>
              <xs:element default="-1" minOccurs="0" name="max-post-size" nillable="false" type="xs:int"></xs:element>
              <xs:element default="false" minOccurs="0" name="send-server-header-enabled" nillable="false" type="xs:boolean"></xs:element>
              <xs:element minOccurs="0" name="default-web-app-context-root" nillable="true" type="xs:string"></xs:element>
              <xs:element minOccurs="0" name="charsets" nillable="true" type="xs:string"></xs:element>
              <xs:element minOccurs="0" name="url-resource" nillable="true" type="xs:string"></xs:element>
              <xs:element default="false" minOccurs="0" name="chunked-transfer-disabled" nillable="false" type="xs:boolean"></xs:element>
              <xs:element default="true" minOccurs="0" name="use-highest-compatible-http-version" nillable="false" type="xs:boolean"></xs:element>
              <xs:element default="false" minOccurs="0" name="use-header-encoding" nillable="false" type="xs:boolean"></xs:element>
              <xs:element default="true" minOccurs="0" name="auth-cookie-enabled" nillable="false" type="xs:boolean"></xs:element>
              <xs:element default="512" minOccurs="0" name="write-chunk-bytes" nillable="false" type="xs:int"></xs:element>
              <xs:element default="false" minOccurs="0" name="wap-enabled" nillable="false" type="xs:boolean"></xs:element>
              <xs:element default="false" minOccurs="0" name="accept-context-path-in-get-real-path" nillable="false" type="xs:boolean"></xs:element>
              <xs:element default="false" minOccurs="0" name="single-signon-disabled" nillable="false" type="xs:boolean"></xs:element>
              <xs:element minOccurs="0" name="web-deployment" nillable="true" type="xs:string"></xs:element>
              <xs:element minOccurs="0" name="work-manager-for-remote-session-fetching" nillable="true" type="xs:string"></xs:element>
              <xs:element minOccurs="0" name="client-ip-header" nillable="true" type="xs:string"></xs:element>
            </xs:sequence>
          </xs:extension>
        </xs:complexContent>
      </xs:complexType>
    Note that the default value for the auth-cookie-enabled element is 'true'. An example server configuration looks as follows (note that the occurrence
    of where the auth-cookie-enabled element is important - as we are dealing with a sequence):
    <server>
        <name>security_server</name>
        <ssl>
          <name>security_server</name>
          <enabled>false</enabled>
        </ssl>
        <machine>Machine1</machine>
        <listen-port>8001</listen-port>
        <cluster xsi:nil="true"></cluster>
        <web-server>
          <name>security_server</name>
          <web-server-log>
            <number-of-files-limited>false</number-of-files-limited>
          </web-server-log>
          <auth-cookie-enabled>false</auth-cookie-enabled>
        </web-server>
        <listen-address>axis-into-ict.nl</listen-address>
        <server-start>
          <name>security_server</name>
          <java-vendor>Oracle</java-vendor>
          <java-home>/home/oracle/jrockit-jdk1.6.0_29-R28.2.2-4.1.0</java-home>
          <arguments>-Xms512m -Xmx512m -Xgc:throughput</arguments>
        </server-start>
    </server>
    When looking in the admin console, you would expect the auth-cookie-enabled element, to be configurable in the
    environment, servers, your_server, protocols, http tab, for example, when configuring some timeouts in this screen
    you get the following in the config.xml
    <server>
        <name>security_server</name>
        <ssl>
          <name>security_server</name>
          <enabled>false</enabled>
        </ssl>
        <machine>Machine1</machine>
        <listen-port>8001</listen-port>
        <cluster xsi:nil="true"></cluster>
        <web-server>
          <name>security_server</name>
          <web-server-log>
            <number-of-files-limited>false</number-of-files-limited>
          </web-server-log>
          <keep-alive-secs>60</keep-alive-secs>
          <https-keep-alive-secs>120</https-keep-alive-secs>
          <post-timeout-secs>60</post-timeout-secs>
          <auth-cookie-enabled>false</auth-cookie-enabled>
        </web-server>
        <listen-address>axis-into-ict.nl</listen-address>
        <server-start>
          <name>security_server</name>
          <java-vendor>Oracle</java-vendor>
          <java-home>/home/oracle/jrockit-jdk1.6.0_29-R28.2.2-4.1.0</java-home>
          <arguments>-Xms512m -Xmx512m -Xgc:throughput</arguments>
        </server-start>
    </server>
  • 5. Re: How to set JSESSION ID as secure in Weblogic 10.3.5.0
    user116837 Newbie
    Currently Being Moderated
    This is a little aged now but I'lll still post this in case it helps others. This is what I found today.

    1. You can set this via the Admin Console as per Support Article: How to set up secure cookie on weblogic server [ID 1267117.1]

    Login to the Admin Console & got to >> Domain >> Web Applications
    You will see a check box for [Auth Cookie Enabled] - check/uncheck as desired

    2. As stated across several reference this is set to true by default BUT if you are testing and don't see the added WLAUTHCOOKIE_JSESSIONID cookie - it might be because you are using a unauthenticated application. For our applications that I have tested it only appears "after" authentication to a secure application.

    Cheers

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points