15.6. About http-only Session Management Cookies

The http-only attribute for session management cookies mitigates the risk of security vulnerabilities by restricting access from non-HTTP APIs (such as JavaScript). This restriction helps mitigate the threat of session cookie theft via cross-site scripting attacks. On the client side, the cookies cannot be accessed using JavaScript or other scripting methods. This applies only to session management cookies and not other browser cookies. By default, the http-only attribute is enabled.
If it has not yet been done, you need to add SSO to the virtual server in the web subsystem to use the http-only attribute.

Example 15.4. Add SSO to the Virtual Server

Enter the following Management CLI command to add SSO to the virtual server in the web subsystem.
/subsystem=web/virtual-server=default-host/configuration=sso:add

Note

If this command results in a "JBAS014803: Duplicate resource" failure, it means SSO is already added to the virtual server configuration. You can ignore this error and continue.

Note

JSESSIONID and JSESSIONIDSSO are session tracking cookies. By default, they are http-only and must not be accessed by scripts.

Example 15.5. Verify the http-only Attribute

Enter the following Management CLI command to verify the value of the http-only attribute.
/subsystem=web/virtual-server=default-host/configuration=sso:read-resource
{
    "outcome" => "success",
    "result" => {
        "cache-container" => undefined,
        "cache-name" => undefined,
        "domain" => undefined,
        "http-only" => true,
        "reauthenticate" => undefined
    },
    "response-headers" => {"process-state" => "reload-required"}
}

Example 15.6. Enable the http-only Attribute

Enter the following Management CLI command to enable the http-only attribute.
/subsystem=web/virtual-server=default-host/configuration=sso:write-attribute(name=http-only,value=true)