IBM Support

Setting the HTTPOnly and Secure Flags on WebSphere Application Server Cookies



How do I configure the 'HTTPOnly' and 'Secure' flags for cookies managed by WebSphere Application Server?


The WebSphere product manages several cookies including LtpaToken2, WASReqURL, and JSESSIONID. The following settings can be toggled to set values for the Secure and HTTPOnly flags.

LtpaToken2 and WASReqURL:


Related information

Securing JSESSIONID cookie for the admin console
WebSEAL configuration for handling HTTPOnly cookies

Document information

More support for: WebSphere Application Server

Component: Security

Software version: 8.5, 9.0

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Base, Network Deployment

Reference #: 1422185

Modified date: 03 April 2019