Enable httpOnly for session cookies in the Dashboard server

This section describes how to resolve security issue where the session cookie settings need to be modified.

Symptoms

If the TBSM session cookie does not contain the HttpOnly attribute, it might be accessed by a malicious script injected to the site, and its value can be stolen.

Resolution

Add the com.ibm.ws.webcontainer.httpOnlyCookies setting to the Dashboard Application Service Hub server.xml file on your Dashboard server as follows:
  1. In a command window, change to the directory: $JazzSMHome/profile/config/cells/JazzSMNode01Cell/nodes/JazzSMNode01/servers/server1 .
  2. In a text editor, open the server.xml file.
  3. Add the property: 
    <properties xmi:id="Property_12"                         
name="com.ibm.ws.webcontainer.httpOnlyCookies"                         
value="LtpaToken2,JSESSIONID_ibm_console_16310,JSESSIONID"/>
Important: Setting the httpOnly tag may cause some custom applications and Netcool/OMNIbus WebGUI portlets to malfunction. If you have issues after adding the httpOnly tag, upgrade the Java JRE to version 7.0/1.7 to resolve the problem.