Turn on the HttpOnly and Secure flags for session cookies within WebLogic

Using the HttpOnly flag when generating a cookie helps mitigate the risk of a client-side script accessing the protected cookie.

Perform these steps on the application server.

To turn on the flags for session cookies:

1. Navigate to the following directory:

   $INSTALL_DIR/Healthcare/WEB-INF

2. Open the weblogic.xml file, and scroll to the <session-descriptor> section.
3. If the section does not contain the following element, add the element:

   <cookie-secure>true</cookie-secure>

4. If the section does not contain the following element, add the element:

   <wls:cookie-http-only>true</wls:cookie-http-only>

Note: When the http-only flag is turned on, users must use Microsoft Internet Explorer 8 or later and Java 7 or later to view single-patient and multi-patient timelines as applets. Users running older releases should deselect the Display Patient Timelines as applets user preference. Alternatively, you can deselect the Enable User Preference to display Patient Timelines as applet site option, which turns off the applet viewing mode for all users.

Copyright © 2013, 2016 Oracle and/or its affiliates. All rights reserved.