Securing HttpOnly cookies in WebSphere Application Server (WAS) involves enabling the HttpOnly and Secure attributes for cookies. These attributes help protect cookies from being accessed by client-side scripts (JavaScript) and ensure they are only transmitted over secure (HTTPS) connections. Here’s how to configure this:
1. Enable HttpOnly Attribute:
In WebSphere Application Server, the JSESSIONID cookie is used for session tracking.Follow these steps to enable the HttpOnly attribute:
- Log in to the WebSphere Administrative Console.
- Navigate to:mathematicaCopy code
Security > Global Security > Web and SIP Security > General Settings
3. Under Additional properties, click on Web Container Settings > Web Container
4. Select Custom Properties and click New.
5. Create a new property:
- Name:
com.ibm.ws.webcontainer.httpOnlyCookies - Value:
true
Save the configuration and restart the server.
2. Enable Secure Attribute:
For JSESSIONID Cookies:
- The
Secureattribute ensures cookies are sent only over HTTPS. - To enable it:
- Log in to the WebSphere Administrative Console.
- Navigate to:mathematicaCopy code
Applications > Application Types > WebSphere Enterprise Applications
3. Select your application.
4. Under Additional properties, click on Web Module Properties > Session Management.
5. Click on Enable cookies and check Restrict cookies to HTTPS sessions.
6. Save the configuration and restart the server.
