HttpOnly session cookies
To help protect against cross-site scripting (XSS) attacks, configure session cookies with the HttpOnly
flag.
When a cookie has this flag, browsers prevent client-side scripts from accessing it.
This is an effective way to prevent attackers from stealing session information.
By default, AM enables the HttpOnly
flag on its session cookies.
When the For example:
|
Verify the httpOnly
flag is enabled
The httpOnly
flag is enabled by default. To verify that it’s enabled, follow these steps:
-
In the AM admin UI, go to Configure > Server Defaults > Advanced.
-
Find the
com.sun.identity.cookie.httponly
advanced server property and make sure it’s set totrue
. -
If you change the value, save your changes and restart AM or the container where it runs.
-
If you have a site with multiple AM servers, verify this setting on each server.
AM also uses the |