Cookie settings

Cookie settings

Use this page to configure cookie settings for session management.
To view this console page, click...
Servers | Server types | WebSphere application servers | server_name | Session management | Enable cookies

Cookie name Unique name for the session management cookie. The servlet specification requires the name JSESSIONID. However, for flexibility, we can configure this value.
Restrict cookies to HTTPS sessions The session cookies include the secure field. Enabling this feature restricts the exchange of cookies to HTTPS sessions only.
Set cookies as HTTP only to help prevent cross-site scripting attacks Specifies that session cookies include the HTTP only field. When checked, browsers that support the HTTP only attribute do not enable cookies to be accessed by client-side scripts. For security cookies, see the global security settings for web SSO.
Cookie domain Domain field of a session tracking cookie. This value controls whether a browser sends a cookie to particular servers. For example, if specified a particular domain, session cookies are sent to hosts in that domain. The default domain is the server.
Cookie maximum age Amount of time that the cookie lives on the client browser. Specify that the cookie lives only as long as the current browser session, or to a maximum age. If we choose the maximum age option, specify the age in seconds. This value corresponds to the Time to Live (TTL) value described in the Cookie specification. Default is the current browser session which is equivalent to setting the value to -1.
Cookie path A cookie is sent to the URL designated in the path. Specify any string representing a path on the server. A slash (/) indicates root directory. Specify a value to restrict the paths to which the cookie is sent. By restricting paths, you prevent the cookie from going to certain URLs on the server. If we specify the root directory, the cookie is sent no matter which path on the given server is accessed. Set the cookie path to match the context root for each application. This setting restricts the cookie from being sent to other applications and results in having different cookies created when accessing multiple applications.

Related tasks
Configure session tracking

Cookie name	Unique name for the session management cookie. The servlet specification requires the name JSESSIONID. However, for flexibility, we can configure this value.
Restrict cookies to HTTPS sessions	The session cookies include the secure field. Enabling this feature restricts the exchange of cookies to HTTPS sessions only.
Set cookies as HTTP only to help prevent cross-site scripting attacks	Specifies that session cookies include the HTTP only field. When checked, browsers that support the HTTP only attribute do not enable cookies to be accessed by client-side scripts. For security cookies, see the global security settings for web SSO.
Cookie domain	Domain field of a session tracking cookie. This value controls whether a browser sends a cookie to particular servers. For example, if specified a particular domain, session cookies are sent to hosts in that domain. The default domain is the server.
Cookie maximum age	Amount of time that the cookie lives on the client browser. Specify that the cookie lives only as long as the current browser session, or to a maximum age. If we choose the maximum age option, specify the age in seconds. This value corresponds to the Time to Live (TTL) value described in the Cookie specification. Default is the current browser session which is equivalent to setting the value to -1.
Cookie path	A cookie is sent to the URL designated in the path. Specify any string representing a path on the server. A slash (/) indicates root directory. Specify a value to restrict the paths to which the cookie is sent. By restricting paths, you prevent the cookie from going to certain URLs on the server. If we specify the root directory, the cookie is sent no matter which path on the given server is accessed. Set the cookie path to match the context root for each application. This setting restricts the cookie from being sent to other applications and results in having different cookies created when accessing multiple applications.