WebLogic Server allows a user to securely access HTTPS resources in a
session that was initiated using HTTP, without loss of session data. To
enable this feature, add AuthCookieEnabled="true" to the WebServer
element in config.xml:
<WebServer Name="myserver" AuthCookieEnabled="true"/>Setting
AuthCookieEnabled to true, which is the default setting, causes the
WebLogic Server instance to send a new secure cookie,
_WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an
HTTPS connection. Once the secure cookie is set, the session is allowed
to access other security-constrained HTTPS resources only if the cookie
is sent from the browser.Thus, WebLogic Server uses two cookies:
the JSESSIONID cookie and the _WL_AUTHCOOKIE_JSESSIONID cookie. By
default, the JSESSIONID cookie is never secure, but the
_WL_AUTHCOOKIE_JSESSIONID cookie is always secure. A secure cookie is
only sent when an encrypted communication channel is in use. Assuming a
standard HTTPS login (HTTPS is an encrypted HTTP connection), your
browser gets both cookies.For subsequent HTTP access, you are
considered authenticated if you have a valid JSESSIONID cookie, but for
HTTPS access, you must have both cookies to be considered authenticated.
If you only have the JSESSIONID cookie, you must re-authenticate.To configure on Admin Console :
Log into WebLogic Admin Console.
Under Domain Structure, press click on <domainname>
Select the "Web Applications" tab
Select "Lock and Edit" in change center.
Click on "Auth Cookie Enabled" checkbox.
Restart to confirm changes.
Test an application and view the cookie which got stored as "JSESSIONID"
To Configure the Web application's weblogic-application.xml file:
Run
the following to extract the file from the web application's
weblogic-application.xml: $PATH_JDK_HOME\binjar -xvf
easy-web-examples.ear META-INF/weblogic-application.xml
Add
<cookie-secure>true</cookie-secure> between
<session-descriptor> </session-descriptor> to the
weblogic-application.xml.
Run the following to repackage the
file to the application: $PATH_JDK_HOME\bin\jar -uvf
easy-web-examples.ear META-INF/weblogic-application.xml
Deploy the application into WebLogic
For further information, please read the documentation on "Using Secure Cookies to Prevent Session Stealing " :
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/security/thin_client.html#wp1053780