[TechNote] Setting the Secure and HTTPOnly flags on the JSESSIONID cookie in WebSphere Application Server versions v7.0 and v.8.x

Setting the Secure and HTTPOnly flags on the JSESSIONID cookie in WebSphere Application Server versions v7.0 and v.8.x

WebSphere Application Server v8.0 and Higher:

• The HTTPOnly flag on the JSESSIONID is enabled by default. Check and make sure the option "Set session cookies to HTTPOnly to help prevent cross-site scripting attacks" is selected.
• The Secure flag on the JSESSIONID is not enabled by default. To add the Secure flag to the JSESSIONID, make sure the option "Restrict cookies to HTTPS sessions" is selected.
• In the administrative console: click on Application servers > servername > Session management > Enable cookies

 

WebSphere Application Server v7.0:

HTTPOnly flag

• The HTTPOnly setting on the JSESSIONID cookie is a new function that was added in fixpack 7.0.0.9. You need to be at fix pack 7.0.0.9 and higher in order to configure the Webcontainer custom property "com.ibm.ws.webcontainer.HTTPOnlyCookies" for adding the HTTPOnly flag to the JSESSIONID.
• In the administrative console, click on Application servers > servername > Web Container Settings > Web container > Custom properties, click on New...

Name: com.ibm.ws.webcontainer.HTTPOnlyCookies

Value: JSESSIONID

Secure flag

• To set the Secure flag on the JSESSIONID cookie: Go to the Session management panel below and make sure the option "Restrict cookies to HTTPS sessions" is checked.
• In the administrative console: click on Application servers > servername > Session management > Enable cookies

HomeOpenPages GRC Platform 6.2.1. . .SSL configuration for WebSphere Application Servers Previous Next Enabling secure session cookies on IBM WebSphere Application Server

Procedure

1. Open a browser window and log on to the IBM® WebSphere® Integrated Solutions Console as a server administrator.
   The default URL is http://<server_name>:<port>/ibm/console.
2. In the left panel of the Integrated Solutions Console:
   1. Expand Servers | Server Types
   2. Click the WebSphere Application Server in the list.
3. In the list on the Application servers page, click the name of the application server you want to configure.
4. On the Application servers | OpenPages-server-name page, click the Configuration tab.
5. On the Configuration tab, under the Container Settings heading, click Session Management.
6. On the Application servers | OpenPages-server-name | Session Management page:
   1. Verify that Enable cookies setting is selected.
   2. On the Application servers | OpenPages-server-name | Session Management Cookies page, configure the Restrict cookies to HTTPS sessions.
      • To enable secure session cookies, select the Restrict cookies to HTTPS sessions check box.
      • To disable secure session cookies, clear the Restrict cookies to HTTPS sessions check box.
   3. When finished, click Apply.
7. Repeat steps 3-7 for all available application servers.