Oracle Weblogic Server (MOSC)

MOSC Banner

Penetration testing issue raised - cookie not having secure flag, domain information

edited Mar 13, 2018 8:43AM in Oracle Weblogic Server (MOSC) 3 commentsAnswered

In a recent penetration testing conducted on our application deployed on WLS 12.2.1.x, couple of issues raised were -

1. Cookie does not have secure flag

2. Cookie does not contain domain info or context path info

Our application is used by different customers having its deployment done in WLS and other application servers like Wildfly8+, WAS-8.5.5.x, GlassFish-4.x.

For deployments done in WLS, some customers access application URL as HTTP and some customer access URL as HTTPS. We develop application as a product and the same product gets released(buid/release is automated) for the varied(URL access) WLS deployments. For the secure flag inclusion the only one option so far we've searched(in documents, forums) and found out was to have it done in weblogic.xml-

Howdy, Stranger!

Log In

To view full details, sign in to My Oracle Support Community.

Register

Don't have a My Oracle Support Community account? Click here to get started.

Category Leaderboard

Top contributors this month

New to My Oracle Support Community? Visit our Welcome Center

MOSC Help Center