Configuring cookies
All cookies that are created by the Operational Decision Manager applications contain the HttpOnly and Secure properties. These options must be set to mitigate the security risk and protect the cookies.
For more information about the HttpOnly and Secure options, see HttpOnly in the Open Web Application Security Project (OWASP) documentation.
If you use WebSphere® Liberty as your application server, check the following guidelines for cookies.
- LtpaToken2 is used for Single Sign-On (SSO) among multiple Liberty servers.
- JSESSIONID contains an ID for the current session.
- WASReqURL contains the URL of the last visited HTTP request for the next SSO. It does not contain any sensitive information and can be handled like other cookies.
- WASPostParam contains the parameters of the last HTTP POST request. It does not contain any sensitive information and can be handled like other cookies.
Cookie LtpaToken2
webAppSecurity
element in the server.xml
file to configure web container application security for WebSphere Liberty:<webAppSecurity
ssoCookieName="LtpaToken2"
ssoRequiresSSL="true"
httpOnlyCookies="true"
logoutOnHttpSessionExpire="true" … />
appSecurity-2.0
, servlet-3.0
, and other
required Liberty features to the server.xml file. For more information, see
Application Security 2.0 in the WebSphere Liberty product
documentation.Property | Description |
---|---|
ssoCookieName | In general, you do not use ssoCookieName to change the cookie name. If you do so, the name must be replicated in all Liberty servers using the same SSO. |
ssoRequiresSSL | Set this property to true so that the cookie
LtpaToken2 is sent only over SSL to be secure. The default value is false. |
httpOnlyCookies | When this property is set to true, it means that the cookie is set
to HttpOnly. The default value is true. |
logoutOnHttpSessionExpire | Set this property to true so that the users are logged out when the
HTTP session timer expires. Set the path to / as you do not know the context root. |
Cookie JSESSIONID
<httpSession
cookieName="DCSESSIONID"
cookieSecure="true"
cookieHttpOnly="true"
cookiePath="/"
… />
Property | Description |
---|---|
cookieName | The default value is DCSESSIONID. |
cookieSecure | Set this property to true. The default value is false. |
cookieHttpOnly | The default value is true. Do not change the default value. |
cookiePath | The default value is /. If you know a specific cookie path, specify it here. Using useContextRootAsCookiePath might be fine. However, not all Operational Decision Manager applications might be in the same context root. A good practice can be to place all Operational Decision Manager applications under /odm/xxx, then use odm as the value of cookiePath. |