WAM UI - TLS cookie without secure flag set
search cancel

WAM UI - TLS cookie without secure flag set

book

Article ID: 258266

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

JSESSIONID cookie was issued by the application and does not have the secure flag set
 
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function

Environment

Policy Server Version: 12.8 SP6a
Policy Server OS: Linux x86_64
 
WAM UI Version: 12.8SP6a
WAM UI OS:Linux x86_64

Resolution

The Siteminder AdminUI is hosted on a JBOSS Wildfly appplication server.  The 'secure' and 'HTTPOnly' flags for the cookies set by JBOSS (e.g. JSESSIONID) are controlled within the following file:

<administrative_ui_installation_path>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\web.xml

1) Stop the Siteminder AdminUI

2) Edit the following file:

<administrative_ui_installation_path>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\web.xml

3) Locate the 'session-config' element. It will be similar to the following: 

    <session-config>
      <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
      </cookie-config>
    </session-config>

4) Add the 'secure' flag to the 'session-config' element.

<secure>true</secure>

5) Save the changes.

6) Start the Admin UI.

Additional Information

https://knowledge.broadcom.com/external/article/228182/admin-ui-jsessionid-cookie-is-not-marked.html

Powered by Wolken Software