Categories
- All Categories
- 130 Oracle Analytics News
- 24 Oracle Analytics Videos
- 14.5K Oracle Analytics Forums
- 5.5K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 50 Oracle Analytics Trainings
- 8 Oracle Analytics Data Visualizations Challenge
- 4 Oracle Analytics Career
- 8 Oracle Analytics Industry
- Find Partners
- For Partners
non-secure cookies over ssl in obiee
Dear Experts,
Where to set below setup in obiee 12.2.1.4.0
the web application sends non-secure cookies over ssl in obiee ? where to set this ?
ORA_BIPS_LBINFO
JSESSIONID
Answers
-
Hi,
Did somebody run a security scan/audit on your OBIEE and they gave you a long list of things being "unsecure" ?
3808468 wrote:the web application sends non-secure cookies over ssl in obiee ?
What is a "secure" cookie for you?
If you mean the "secure" flag of the cookies being set, you must also know that this doesn't make the cookie secure.
That "secure" flag is totally useless when your cookie is sent over SSL, mainly because that flag just means to not send the cookie if the connection isn't SSL.
If you really want that "secure" flag to be set, you can configure it into your instanceconfig.xml, there is a "CookieSecure" tag which can be used.
0 -
Dear Gianni,
As per below document they mentioned to configure secure cookies in the below location
i.e WEB-INF/weblogic.xml
OBI 11g|12c: How To Configure Secure Cookies (Doc ID 1676542.1)
I am bit confused what is the right place to set secure cookies is this in instanceconfig.xml or weblogic.xml ?
Please suggest
0 -
Good question ...
I find the info about instanceconfig.xml in the XSD file defining all the allowed tags in instanceconfig.xml (I was looking at a 12.2.1.1 version, I don't think it changed in .4), you can see a screenshot of the part about the secure flag below.
So instanceconfig.xml will accept that setting.
The unknown point is if it's enough, and even more if it isn't defined somewhere else (like in the file you find in the MOS document as there is a referenced to @mBeanInfo which I have no idea how it is interpreted by OBIEE).
What I would do, being you, is to set the flag in instanceconfig.xml, restart and test on a HTTP (non SSL) connection if the cookies are set or not. I would do that because changing instanceconfig.xml and restarting is a lot less work than the change of the MOS document.
If it works, fine: you got what you are after with a simple config file setting.
If it doesn't work you are good to go with the changes of the MOS file (knowing you will have to do them again and again every time to patch your OBIEE as the analytics deployment has good chances to be replaced).
0
