Configuring cookies

All cookies that are created by the Operational Decision Manager applications contain the HttpOnly and Secure properties. These options must be set to mitigate the security risk and protect the cookies.

For more information about the HttpOnly and Secure options, see HttpOnly in the Open Web Application Security Project (OWASP) documentation.

If you use WebSphere® Liberty as your application server, check the following guidelines for cookies.

The Liberty server can use several different cookies. You must set all cookies to HttpOnly and Secure when you configure a Liberty application. The following cookies are the ones most often seen:

LtpaToken2 is used for Single Sign-On (SSO) among multiple Liberty servers.
JSESSIONID contains an ID for the current session.

WebSphere Liberty also uses the following two cookies:

WASReqURL contains the URL of the last visited HTTP request for the next SSO. It does not contain any sensitive information and can be handled like other cookies.
WASPostParam contains the parameters of the last HTTP POST request. It does not contain any sensitive information and can be handled like other cookies.

Cookie LtpaToken2

You can use the webAppSecurity element in the server.xml file to configure web container application security for WebSphere Liberty:

<webAppSecurity 
   ssoCookieName="LtpaToken2"   
   ssoRequiresSSL="true" 
   httpOnlyCookies="true" 
   logoutOnHttpSessionExpire="true" … />

Note: You must add appSecurity-2.0, servlet-3.0, and other required Liberty features to the server.xml file. For more information, see Application Security 2.0 in the WebSphere Liberty product documentation.

Property	Description
ssoCookieName	In general, you do not use ssoCookieName to change the cookie name. If you do so, the name must be replicated in all Liberty servers using the same SSO.
ssoRequiresSSL	Set this property to `true` so that the cookie LtpaToken2 is sent only over SSL to be secure. The default value is `false`.
httpOnlyCookies	When this property is set to `true`, it means that the cookie is set to HttpOnly. The default value is `true`.
logoutOnHttpSessionExpire	Set this property to `true` so that the users are logged out when the HTTP session timer expires. Set the path to `/` as you do not know the context root.

Cookie JSESSIONID

This cookie is used for configuring the HTTP session management. See the following example:

<httpSession 
   cookieName="DCSESSIONID" 
   cookieSecure="true" 
   cookieHttpOnly="true" 
   cookiePath="/"
… />

Property	Description
cookieName	The default value is `DCSESSIONID`.
cookieSecure	Set this property to `true`. The default value is `false`.
cookieHttpOnly	The default value is `true`. Do not change the default value.
cookiePath	The default value is `/`. If you know a specific cookie path, specify it here. Using `useContextRootAsCookiePath` might be fine. However, not all Operational Decision Manager applications might be in the same context root. A good practice can be to place all Operational Decision Manager applications under /odm/xxx, then use `odm` as the value of cookiePath.