[Master] Securing cookies in JBoss middleware products and F5 BigIP

Solution Verified - Updated -

Issue

  • Cookies generated by JBoss are not setting the httpOnly flag, does JBoss intend to adopt this standard?
  • How can I enable the HttpOnly and/or Secure flags on my session cookies with EAP?
  • How can I enable the HttpOnly and/or Secure flags on my session cookies with Tomcat?
  • Can we set HttpOnly and/or Secure flags in HTTPD?
  • Is it possible to configure the SameSite flag on JSESSIONID cookies for EAP?

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
  • Red Hat JBoss Core Services
  • Red Hat Enterprise Linux
  • Red Hat Software Collections
  • Red Hat JBoss Web Server (JWS)
  • Apache Web Server (HTTPD)
  • Apache Tomcat
  • F5 BigIP Hardware Load Balancer

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In