Question
I'm working in a common environment having an Apache http-Server in front of the WebSphere Application Server 7 (running a WebSphere Portal Server 7) and now I'm trying to turn on the httpOnly and secure flags for the LTPA cookie.
According to Secure and HttpOnly flags for session cookie Websphere 7 and the support node at IBM I added the custom property com.ibm.ws.security.addHttpOnlyAttributeToCookies -> true inside the WAS7 configuration and restartet the server. The result was that httpOnly flag was set while secure flag wasn't.
Did anyone encounter the same problem and found a solution?
Solution
Okay, finally I found a (not the) solution. I set the require SSL flag for SSO. This was just mentioned by IBM as standalone solution for the secure flag. How to get there:
Security -> Global Security -> Web- and SIP-Security -> Single Sign-on (SSO) -> check "Requires SSL"
This has been done on IBM WebSphere Application Server 7 with fixpack 7.0.0.27. Maybe the solution from IBM was relying to an older version and they changed the behvaiour in the meanwhile.
https://stackoverflow.com/questions/15138106
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian