Securing DWR on Weblogic

The HTTPOnly flag is used to prevent client side scripts to read the cookies (provided the browser supports the HTTP only cookie extension). By default, cookies are set to HTTP Only in version 11g of Weblogic. Unfortunately, the current stable release of DWR does not support HTTPOnly JSESSIONID cookies and we therefore have to turn this feature off.

This implies that XSS checking for DWR must be disabled. This can be done by adding the following init- parameter to the dwr-invoker servlet. 

<init-param>
    <param-name>crossDomainSessionSecurity</param-name>
    <param-value>false</param-value>
</init-param>

Recently, DWR has received support for HttpOnly, see this issue: Add support for HttpOnly cookies. This feature will be a part of their upcoming 3.0 release and should then make the described configuration step redundant.

Copyright © 2009-2012 Escenic