Hi,
I'm using JDev 11.1.2.2.0 ADF application with Java EE 5 Servlet technology, weakness was identified in web application session cookie controls. The 'secure' attribute was not utilised for session cookies established over secure (HTTPS) connections. A browser subsequently requesting the same site over a non-secure (HTTP) connection may send the cookie in clear text. An attacker could exploit this to obtain the JSESSIONID.
When first visiting the application the following session cookie is set without the secure flag:
Set-Cookie: JSESSIONID=v2p6N8lxkahn9LB1LVmmbS-ZEbpl9L2JdzU8XRK5ppDqgf66Jq88!-327978021; path=/; HttpOnly
How to fix this vulnerabilities issue for an ADF application. I found some links online but need to check with you guys for a best possible solution for ADF application.
Thank you so much for your valuable time.
Regards
Amar