Access Management 7.4.1

HttpOnly session cookies

Whether you use HTTP or HTTPS, flag your cookies as HttpOnly, which means they are transmitted only over HTTP or HTTPS protocols. This setting alone already prevents most XSS attacks, since HttpOnly cookies cannot be transmitted using JavaScript.

When a client makes a call to the /json/authenticate endpoint appending a valid SSO token, if HttpOnly cookies are enabled, then AM returns an empty tokenId field.

For example:

{
  "tokenId":"",
  "successUrl":"/openam/console",
  "realm":"/alpha"
}

Configure the httpOnly flag

  1. In the AM admin UI, go to Configure > Server Defaults > Advanced.

  2. Set the com.sun.identity.cookie.httponly advanced server property to true, and save your changes.

    You must make this change in all the AM instances in the site.

    Regardless of the value of the com.sun.identity.cookie.httponly property, AM upgrades cookies to secure cookies (except the amlbcookie cookie) when requests arrive over a secure channel.

  3. Restart AM or the container where it runs.