IBM Support

Setting the HTTPOnly and Secure Flags on WebSphere Liberty Profile Server Cookies

How To


Summary

In many deployment environments, security protocol may dictate that the Secure and HttpOnly attributes be set on certain cookies. Liberty creates and manages three cookies by default: JSESSIONID, LtpaToken2, and WASReqUrl. This document will provide instructions on how to set the Secure and HttpOnly flags for those cookies.

Note that some features such as samlWebSso-2.0 and openIdConnectClient-1.0 include additional cookies for which the Secure and HttpOnly flags are set by default.

The values and flags of cookies set by applications running on Liberty are outside the scope of the Liberty product and should be addressed by the application which sets them.

Steps

Add or modify server.xml so that it contains the following two sets of markup:
<httpSession 
        cookieSecure="true" 
        cookieHttpOnly="true" 
    />

Refer to the HTTP Session (httpSession) documentation for details about each specific element in the above markup. The httpSession markup controls the behavior of the JSESSIONID cookie.

    <webAppSecurity   
        ssoRequiresSSL="true" 
        httpOnlyCookies="true" 
    />

Refer to the Web Container Application Security (webAppSecurity) documentation for details about each specific element in the above markup. The webAppSecurity markup controls the behavior of the LtpaToken2 and WASReqUrl cookies.

Additional Information

To verify the settings are in effect, you can test with the Liberty Admin Center and Firefox's developer tools.

Refer to the Setting up Admin Center documentation for details on how to install and configure Admin Center. After Admin Center is set up, navigate to Admin Center in a web browser and login so that the LtpaToken2 and JSESSIONID cookies are set.

From there, the cookie values and flags can be monitored in the Web Developer > Debugger > Storage debug menu in Firefox:
image 7445

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"ARM Category":[{"code":"a8m50000000CdOjAAK","label":"Security->Application Security"}],"ARM Case Number":"TS004591018","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
08 December 2020

UID

ibm16379246

Page Feedback