How To
Summary
In many deployment environments, security protocol may dictate that the Secure and HttpOnly attributes be set on certain cookies. Liberty creates and manages three cookies by default: JSESSIONID, LtpaToken2, and WASReqUrl. This document will provide instructions on how to set the Secure and HttpOnly flags for those cookies.
Note that some features such as samlWebSso-2.0 and openIdConnectClient-1.0 include additional cookies for which the Secure and HttpOnly flags are set by default.
The values and flags of cookies set by applications running on Liberty are outside the scope of the Liberty product and should be addressed by the application which sets them.
Steps
cookieSecure="true"
cookieHttpOnly="true"
/>
Refer to the HTTP Session (httpSession) documentation for details about each specific element in the above markup. The httpSession markup controls the behavior of the JSESSIONID cookie.
ssoRequiresSSL="true"
httpOnlyCookies="true"
/>
Refer to the Web Container Application Security (webAppSecurity) documentation for details about each specific element in the above markup. The webAppSecurity markup controls the behavior of the LtpaToken2 and WASReqUrl cookies.
Additional Information
Refer to the Setting up Admin Center documentation for details on how to install and configure Admin Center. After Admin Center is set up, navigate to Admin Center in a web browser and login so that the LtpaToken2 and JSESSIONID cookies are set.
![image 7445](/support/pages/system/files/inline-images/image_7445.png)
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
08 December 2020
UID
ibm16379246