Ensuring cookie security
Some cookies may not be properly secured in the client browser. Not securing cookies leaves the application vulnerable to man-in-the-middle and session hijacking attacks. To fix this issue, take the following precautions.
*
Enforce the use of SSL at all times to reduce the risk of cookies being intercepted on the wire.
*
In the web application server, set the secure and httponly flags on all cookies.
*
The secure flag tells the browser to send the cookie only over an HTTPS connection. You must enable SSL on all applications that communicate with each other if you set this flag.
*
The httponly flag prevents cookies from being accessed through a client side script.
Setting the flags in WebLogic
To set the secure and httponly flags, use the following procedure.
*
See the WebLogic documentation for complete details.
1.
If Marketing Platform is deployed and running, stop and undeploy it.
2.
Extract the Marketing Platform WAR file.
3.
Edit the weblogic.xml file to set the secure and httponly flags.
4.
Recreate the Marketing Platform WAR file, redeploy, and re-start.
Setting the flags in WebSphere
You set the secure and httponly flags in the WebSphere administrative console, as follows.
*
See the WebSphere documentation for complete details.
At the application level for Marketing Platform, do the following.
1.
Navigate to Session Management and click Enable cookies.
2.
Check Restrict cookies to HTTPS sessions and Set session cookies to HTTPOnly to help prevent cross-site scripting attacks.
3.
Save and apply your changes.
4.
Stop and re-start the Marketing Platform application.
Copyright IBM Corporation 2012. All Rights Reserved.