WebSphere Application Server 7 - httpOnly & secure flag for LTPA

Question

I'm working in a common environment having an Apache http-Server in front of the WebSphere Application Server 7 (running a WebSphere Portal Server 7) and now I'm trying to turn on the httpOnly and secure flags for the LTPA cookie.

According to Secure and HttpOnly flags for session cookie Websphere 7 and the support node at IBM I added the custom property com.ibm.ws.security.addHttpOnlyAttributeToCookies -> true inside the WAS7 configuration and restartet the server. The result was that httpOnly flag was set while secure flag wasn't.

Did anyone encounter the same problem and found a solution?

score 2 · Accepted Answer · answered Mar 01 '13 at 10:06

Okay, finally I found a (not the) solution. I set the require SSL flag for SSO. This was just mentioned by IBM as standalone solution for the secure flag. How to get there:

Security -> Global Security -> Web- and SIP-Security -> Single Sign-on (SSO) -> check "Requires SSL"

This has been done on IBM WebSphere Application Server 7 with fixpack 7.0.0.27. Maybe the solution from IBM was relying to an older version and they changed the behvaiour in the meanwhile.

Any idea how to do this using jacl/jython? – meso_2600 Oct 18 '16 at 13:36 — meso_2600, Oct 18 '16 at 13:36

WebSphere Application Server 7 - httpOnly & secure flag for LTPA

1 Answers1