How do I configure HTTPOnly and Secure cookies for DAS in OpenAM 11.x and 12.x?
The purpose of this article is to provide information on configuring HTTPOnly and Secure cookies for the Distributed Authentication Service (DAS) in OpenAM 11.x and 12.x.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Configuring HTTPOnly and Secure cookies
You should add the following properties to the DAS configuration file for each DAS instance:
- HTTPOnly: com.sun.identity.cookie.httponly=true
- Secure: com.iplanet.am.cookie.secure=true
Caution
It is recommended that you also add the following property if you have enabled HTTPOnly cookies due to the way some web containers (like Apache Tomcat™) parse cookies that contain special characters:
The DAS configuration file is located in the $HOME/FAMDistAuth directory and is called *AMDistAuthConfig.properties.
See Also
Error when HTTPOnly is enabled for DAS in OpenAM 11.x and 12.x
FAQ: Distributed Authentication Service (DAS) in OpenAM
Related Training
N/A
Related Issue Tracker IDs
OPENAM-3740 (HttpOnly and Secure cookie flags not always honored in multiserver deployments)