Friday, March 21

How can we configure secure cookies on WebLogic Server?


Thanks to Naga Venkata Prasad


WebLogic Server allows a user to securely access HTTPS resources in a session that was initiated using HTTP, without loss of session data. To enable this feature, add AuthCookieEnabled="true" to the WebServer element in config.xml:


Setting AuthCookieEnabled to true, which is the default setting, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection. Once the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser.

Thus, WebLogic Server uses two cookies: the JSESSIONID cookie and the _WL_AUTHCOOKIE_JSESSIONID cookie. By default, the JSESSIONID cookie is never secure, but the _WL_AUTHCOOKIE_JSESSIONID cookie is always secure. A secure cookie is only sent when an encrypted communication channel is in use. Assuming a standard HTTPS login (HTTPS is an encrypted HTTP connection), your browser gets both cookies.

For subsequent HTTP access, you are considered authenticated if you have a valid JSESSIONID cookie, but for HTTPS access, you must have both cookies to be considered authenticated. If you only have the JSESSIONID cookie, you must re-authenticate.

To configure on the Admin Console:

1)Log into WebLogic Admin Console.
2)Under Domain Structure, press click on .
3)Select the "Web Applications" tab.
4)Select "Lock and Edit" in the Change Center.
5)Click on the "Auth Cookie Enabled" checkbox.
6)Restart to confirm changes.
7)Test an application and view the cookie which was stored as "JSESSIONID."

To configure the Web application's weblogic-application.xml file:

1) Run the following to extract the file from the web application's weblogic-application.xml: $PATH_JDK_HOME/bin/jar -xvf easy-web-examples.ear META-INF/weblogic-application.xml
2) Add true between to the weblogic-application.xml.
3) Run the following to repackage the file to the application: $PATH_JDK_HOME/bin/jar -uvf easy-web-examples.ear META-INF/weblogic-application.xml
4) Deploy the application into WebLogic.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)