Penetration testing issue raised - cookie not having secure flag, domain information
In a recent penetration testing conducted on our application deployed on WLS 12.2.1.x, couple of issues raised were -
1. Cookie does not have secure flag
2. Cookie does not contain domain info or context path info
Our application is used by different customers having its deployment done in WLS and other application servers like Wildfly8+, WAS-8.5.5.x, GlassFish-4.x.
For deployments done in WLS, some customers access application URL as HTTP and some customer access URL as HTTPS. We develop application as a product and the same product gets released(buid/release is automated) for the varied(URL access) WLS deployments. For the secure flag inclusion the only one option so far we've searched(in documents, forums) and found out was to have it done in weblogic.xml-