How do I configure HTTPOnly and Secure cookies for DAS in OpenAM 11.x and 12.x?
The purpose of this article is to provide information on configuring HTTPOnly and Secure cookies for the Distributed Authentication Service (DAS) in OpenAM 11.x and 12.x.
1 reader recommends this article
This article has been archived and is no longer maintained by ForgeRock.
Configuring HTTPOnly and Secure cookies
You should add the following properties to the DAS configuration file for each DAS instance:
- HTTPOnly: com.sun.identity.cookie.httponly=true
- Secure: com.iplanet.am.cookie.secure=true
It is recommended that you also add the following property if you have enabled HTTPOnly cookies due to the way some web containers (like Apache Tomcat™) parse cookies that contain special characters:
The DAS configuration file is located in the $HOME/FAMDistAuth directory and is called *AMDistAuthConfig.properties.
Error when HTTPOnly is enabled for DAS in OpenAM 11.x and 12.x
FAQ: Distributed Authentication Service (DAS) in OpenAM
Related Issue Tracker IDs
OPENAM-3740 (HttpOnly and Secure cookie flags not always honored in multiserver deployments)