Please find configuration and justification of above mentioned attributes of session cookie.
- Configure Authentication Cookie Security
session.cookie.HttpOnly: Defines whether the Session cookie HTTP response header includes the
HTTP Only flag. Without this flag, an attacker can retrieve the Session cookie as part of cross site scripting.
Enable session.cookie.HttpOnly
- Open the distributed.properties file located on the management server at RA_HOME\conf
- Add the following text to distributed.properties, and configure each parameter according to your security preference:
#set the following to true so the Set-Cookie HTTP response header contains HttpOnly flag
session.cookie.HttpOnly=true
- Save and Close distributed.properties file
- Restart the Release Automation Server service for change to take effect
Note: For more details please reference Configure Authentication Cookie Security mentioned in additional references.
- Path attribute is set to /
Release Automation sub components need to use cookie info like Session-ID internally, so Path attribute is set to / by product design. On the other hand, Domain attribute is not set. so, the cookie can be used in connected domain only. If you want to protect the cookie more, please consider to implement SSL and configure session.cookie.secure parameter in above document.
Note: For more details please reference Secure Communication mentioned in additional references.