Release Automation Session Cookie Configuration
search cancel

Release Automation Session Cookie Configuration


Article ID: 144421


Updated On:


CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)


The session cookie of CA Release Automation is missing the below configuration which get listed in vulnerability reports. Please provide the how can we correct the same and justification in order to keep as is.
  • HTTP only attribute
  • PATH attribute is set to /


Release : 6.6



Please find configuration and justification of above mentioned attributes of session cookie.
  • Configure Authentication Cookie Security
session.cookie.HttpOnly: Defines whether the Session cookie HTTP response header includes the HTTP Only flag. Without this flag, an attacker can retrieve the Session cookie as part of cross site scripting.

Enable session.cookie.HttpOnly
  • Open the file located on the management server at RA_HOME\conf
  • Add the following text to, and configure each parameter according to your security preference:
#set the following to true so the Set-Cookie HTTP response header contains HttpOnly flag
  • Save and Close file
  • Restart the Release Automation Server service for change to take effect
         Note: For more details please reference Configure Authentication Cookie Security mentioned in additional references.

  • Path attribute is set to /
Release Automation sub components need to use cookie info like Session-ID internally, so Path attribute is set to / by product design. On the other hand, Domain attribute is not set. so, the cookie can be used in connected domain only. If you want to protect the cookie more, please consider to implement SSL and configure parameter in above document.

         Note: For more details please reference Secure Communication mentioned in additional references.

Additional Information

Please refer to CA Release Automation Product Security Configuration Documents below