WebSEAL configuration for handling HTTPOnly cookies

To help reduce the risk of cross-site scripting, an HTTPOnly attribute was added to cookies, preventing them from being accessed through client-side scripts. Cross-site scripting is among the most common security problems for web servers and can expose sensitive information about the users of a website. WebSEAL includes the option to enable WebSEAL to add the HTTPOnly attribute to the Set-Cookie headers it uses for sessions, failover, and LTPA cookies. WebSEAL can also be configured to pass the HTTP-only Set-Cookie header attribute from back-end junction servers to web browsers.

• To configure WebSEAL to add the HTTPOnly attribute to Session, Failover and LTPA Set-Cookie headers, change the value of use-http-only-cookies in the [server] stanza of the WebSEAL configuration file to yes. Default is no.
  [server]
  use-http-only-cookies = yes

• To configure WebSEAL to pass the HTTPOnly attribute from Set-Cookie headers sent by junctioned servers, change the value of pass-http-only-cookie-attr in the [junction] stanza of the WebSEAL configuration file to yes. Default is no.
  [junction]
  pass-http-only-cookie-attr = yes

For information about these entries, see the web reverse proxy Stanza Reference topics in the IBM Knowledge Center.

Parent topic: Communication protocol configuration