2 Replies Latest reply: Jan 15, 2013 4:00 PM by Jose A Juarez RSS

    HTTPOnly on Cookies

    Jose A Juarez
      The security group of my company perform a web security scan (with WebInspect ), and they found that Set-Cookie does not use HTTPOnly Keyword, and they send me a list of the urls that they find with this vulnerability (In fact, all pages of my Global Payroll Application doesn't use this 'feature' ). I think that this "feature" is on the WebServer, I'm using PeopleTools 8.49.30 And WebSphere ( I try to find where to activate, but I didn't find ). Dou you know How I can enable this "feature" ?
        • 1. Re: HTTPOnly on Cookies

          you can see the document ID "ID 985574.1" on Oracle Support to know the answer:

          This is fragment of the document:

          "PeopleSoft PIA does not support HTTPOnly for cookies. Enhancement request Bug:11521341 has been created with development to request this feature in a future PeopleTools release. This document will be updated when and if this enhancement becomes part of a tools release. As of now, it is still not part of PT 8.52."

          It could be implemented on PT 8.53 but you have to wait until the next year...

          • 2. Re: HTTPOnly on Cookies
            Jose A Juarez
            Andres: A lot of thanks for you Anwser.

            I found that there some APAR for WebSphere that can solve this, but I need ti Upgrade my WebServer to a new version that is not certificate by oracle. But anyway I already download the Doc Id and I use like a Support at my Audit.