The Session cookies for Admin UI (JSESSIONID) are not configured to restrict access via unencrypted channels. 

The ‘secure’ directive instructs the user's browser to send the cookie only over SSL/TLS encrypted channels.

Secure is not set for the JSESSIONID cookie. 

You can enable the Secure and the HttpOnly flag by updating the following element in web.xml file as below: 

The location of web.xml file is : 

12.52SP2: 

<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF 

12.52SP1:

This version is not affected with this vulnerability and doesn't have this as configuration option.

Element to modify 

=============== 

<cookie-config> 

<http-only>30</http-only> 

<secure>true</secure> 

</cookie-config> 

Note :

• You will need to recycle Admin UI service after making the change.