Administrative UI : Vulnerability : Lack of Cookie Attribute - Secure

Document ID : KB000004949
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The Session cookies for Admin UI (JSESSIONID) are not configured to restrict access via unencrypted channels. 

The ‘secure’ directive instructs the user's browser to send the cookie only over SSL/TLS encrypted channels.

Secure is not set for the JSESSIONID cookie. 

Environment:
Administrative UI : R12.52 SP2
Resolution:

You can enable the Secure and the HttpOnly flag by updating the following element in web.xml file as below: 

 

The location of web.xml file is : 

12.52SP2

<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF 

 

12.52SP1:

This version is not affected with this vulnerability and doesn't have this as configuration option.

 

Element to modify 

=============== 

<cookie-config> 

<http-only>30</http-only> 

<secure>true</secure> 

</cookie-config> 

 

Note :

  • You will need to recycle Admin UI service after making the change.