ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Administrative UI : Vulnerability : Lack of Cookie Attribute - Secure


Article ID: 4949


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


The Session cookies for Admin UI (JSESSIONID) are not configured to restrict access via unencrypted channels. 

The ‘secure’ directive instructs the user's browser to send the cookie only over SSL/TLS encrypted channels.

Secure is not set for the JSESSIONID cookie. 


Administrative UI : R12.52 SP2


You can enable the Secure and the HttpOnly flag by updating the following element in web.xml file as below: 


The location of web.xml file is : 





This version is not affected with this vulnerability and doesn't have this as configuration option.


Element to modify 







Note :

  • You will need to recycle Admin UI service after making the change.