Hi All,
Oracle APEX Version: 3.2 to 5.1
Oracle DB Version: 11gR2 to 12cR2
Is there a way to set the HttpOnly flag for session cookie and all cookies for Oracle APEX application (guessing that there are two cookies for Oracle APEX application one is session cookie (default structure WWV_CUSTOM-F_'|| WORKSPACE_ID ||'_'|| APP_ID if not named cookie) and other is username cookie (LOGIN_USERNAME_COOKIE).
I found that apex.oracle.com applications are able to set these both flags:
Now, there is way to set the session cookie secure flag by specifying secure attribute yes in "Session Cookie Attributes" in current "Authenication Scheme":
which in turn for each type of authentication (internally APEX Engine) calls OWA_COOKIE.SEND procedure with secure flag as set.
But the definitions for OWA_COOKIE.SEND does not have option to set HttpOnly flag for the cookie.
Refer:
So, my question is:
- Is there declarative support either in Oracle APEX or Oracle Database (packages) that will help set HttpOnly flag for all the cookies for an APEX application? OR is it going to be supported in coming versions of Oracle APEX/Oracle Database?
- Is there workaround to currently set HttpOnly flag for existing Oracle APEX (3.2 to 5.1) applications?
- How is apex.oracle.com able to set these flags for the packaged applications? (NOTE: Our client uses Oracle OAM based SSO with HTTP Header Variable as Authentication Scheme, but i would like to know whether these flag settings for cookies are possible irrespective of particular Authentication Scheme/Infrastructure Setup for Oracle APEX)
Regards,
Kiran