Siteminder AdminUI - TLS cookie without secure flag set
searchcancel
Siteminder AdminUI - TLS cookie without secure flag set
book
Article ID: 258266
calendar_today
Updated On: 11-18-2024
Products
SITEMINDER
Issue/Introduction
When running AdminUI, JSESSIONID cookie was issued by the application and does not have the secure flag set. The cookie appears to contain a session token, which may increase the risk associated with this issue.
Environment
Policy Server Version: 12.8 SP6a on Linux x86_64; AdminUI (WAM UI) 12.8SP6a on Linux x86_64.
Resolution
The Siteminder AdminUI is hosted on a JBOSS Wildfly appplication server. The 'secure' and 'HTTPOnly' flags for the cookies set by JBOSS (e.g. JSESSIONID) (1) are controlled within the following file: