We want to make all cookies set by our webapp http-only. I only have a basic understanding of the benefits of doing this but I'm told by security people that it's a Good Thing (tm) Our app is running under JDK1.6.05 and WebLogic10.3.0
After way too much digging around Oracle's website for documentation, I've found good evidence that the first version of WebLogic to support http-only cookies is 10.3.1. By "support," I mean the cookie-http-only deployment-descriptor element.
Before we go about upgrading, I'd be nice to have these questions answered:
1a) Is it accurate that WL10.3.1 is the first version to support http-only cookies and that we're out of luck with 10.3.0?
1b) If we do indeed need to upgrade, is there an easy to do so under Windows? I've heard people mention an "upgrade jar" that you just stick in the classpath but I can't find any mention of this by Oracle. Does an easy way exist, or do we need to do a full-install of the new version?
2) What does the cookie-http-only deployment-descriptor element do when enabled? Will it ensure all cookies set by the application have an http-only=true attribute? Will it do more or less? Is there anything I'll have to do programmatically?
3) Is there anything in general I should know about http-only cookies, getting my web app to take advantage of them, or other security concerns?
For WebLogic 10.3.0.0 you need to install the patch p8176461_103_Generic.
Http-only cookie is actually supported from the Weblogic9.0 version. prior to this version this was not available. Http-only restrict to get cookies from javascript, by that way it secure you from Cross Site Scripting.