Administrative UI : Vulnerability : Lack of Cookie Attribute - Secure

Document ID : KB000004949
Last Modified Date : 14/02/2018
Show Technical Document Details

The Session cookies for Admin UI (JSESSIONID) are not configured to restrict access via unencrypted channels. 

The ‘secure’ directive instructs the user's browser to send the cookie only over SSL/TLS encrypted channels.

Secure is not set for the JSESSIONID cookie. 

Administrative UI : R12.52 SP2

You can enable the Secure and the HttpOnly flag by updating the following element in web.xml file as below: 


The location of web.xml file is : 





This version is not affected with this vulnerability and doesn't have this as configuration option.


Element to modify 







Note :

  • You will need to recycle Admin UI service after making the change.