问题
I want to set session cookie to "secure", but I want to be able to access the app with http on some test boxes and https in upper environments.
I am setting JSESSIONID to cookie-secure=true this way:
weblogic.xml:
<session-descriptor>
<cookie-http-only>true</cookie-http-only>
<cookie-secure>true</cookie-secure>
</session-descriptor>
HTTPS requests work fine, but every request on non-ssl protocol yields a new JSESSIONID. Is there some other setting I can use to conditionally set cookie-secure ?
回答1:
It's not necessary to make the JSESSIONID cookie secure. If the Auth Cookie Enabled flag is checked which is the default in the weblogic console.
Setting AuthCookieEnabled to true, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection. Once the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser.
Thus, WebLogic Server uses two cookies: the JSESSIONID cookie and the _WL_AUTHCOOKIE_JSESSIONID cookie. By default, the JSESSIONID cookie is never secure, but the _WL_AUTHCOOKIE_JSESSIONID cookie is always secure. A secure cookie is only sent when an encrypted communication channel is in use. Assuming a standard HTTPS login (HTTPS is an encrypted HTTP connection), your browser gets both cookies.
for more info please see http://docs.oracle.com/cd/E23943_01/web.1111/e13711/thin_client.htm#autoId4
来源:https://stackoverflow.com/questions/23301636/weblogic-jsessionid-cookie-secure