- General Security Considerations
- Securing Network Communication
- Preventing Insecure HTTP and LDAP Connections
- Configuring AM Behind a Reverse Proxy
- Configuring CORS Support
- Configuring the Cookie Domain
- Cross-Site Request Forgery (CSRF) Protection
- Securing Administrative Access
- Securing Realms
- Configuring Secrets, Certificates, and Keys
- Features in AM That Use Keys
- Managing the AM Keystore
- Managing Key Aliases and Passwords
- Configuring Secret Stores
- Mapping and Rotating Secrets
- Changing Default Key Aliases
- Securing the Session Cookie
- Additional Cookie Security Considerations
- Securing Sessions
- Understanding Session Termination
- Configuring Account Lockout
- Configuring Session Quotas
- Configuring Client-Based Session Security
- Configuring Authentication Session Whitelisting
- Protecting Applications
- Setting Up Audit Logging
- About the Audit Logging Service
- Implementing the Audit Logging Service
- Configuring Audit Logging
- Configuring Audit Event Handlers
- Configuring the Trust Transaction Header System Property
- Implementing the Classic Logging Service
- Audit Logging Reference
- Customizing CTS-Based Session Quota Exhaustion Actions
Configuring Secure Session Cookies
When using HTTPS, mark all your cookies as secure, which means they are only transmitted over HTTPS protocols.
This flag is useful for sites that allow both HTTPS and HTTP traffic, since it protects from HTTP redirection carrying session cookies across unencrypted connections.
Log in to the AM console as an administrative user, for example,
Navigate to Configure > Server Defaults > Security > Cookie.
Enable the Secure Cookie switch, and save your changes.
Restart AM or the container where it runs.