15.6. About http-only Session Management Cookies
The
http-only attribute for session management cookies mitigates the risk of security vulnerabilities by restricting access from non-HTTP APIs (such as JavaScript). This restriction helps mitigate the threat of session cookie theft via cross-site scripting attacks. On the client side, the cookies cannot be accessed using JavaScript or other scripting methods. This applies only to session management cookies and not other browser cookies. By default, the http-only attribute is enabled.
If it has not yet been done, you need to add SSO to the virtual server in the web subsystem to use the
http-only attribute.
Example 15.4. Add SSO to the Virtual Server
Enter the following Management CLI command to add SSO to the virtual server in the web subsystem.
/subsystem=web/virtual-server=default-host/configuration=sso:addNote
If this command results in a "JBAS014803: Duplicate resource" failure, it means SSO is already added to the virtual server configuration. You can ignore this error and continue.
Note
JSESSIONID and JSESSIONIDSSO are session tracking cookies. By default, they are
http-only and must not be accessed by scripts.
Example 15.5. Verify the http-only Attribute
Enter the following Management CLI command to verify the value of the
http-only attribute.
/subsystem=web/virtual-server=default-host/configuration=sso:read-resource
{
"outcome" => "success",
"result" => {
"cache-container" => undefined,
"cache-name" => undefined,
"domain" => undefined,
"http-only" => true,
"reauthenticate" => undefined
},
"response-headers" => {"process-state" => "reload-required"}
}
Example 15.6. Enable the http-only Attribute
Enter the following Management CLI command to enable the
http-only attribute.
/subsystem=web/virtual-server=default-host/configuration=sso:write-attribute(name=http-only,value=true)