Forum Discussion

Brian_Achenbaugh's avatar
Icon for Altocumulus rankAltocumulus
Sep 29, 2022

Cookies, jsessionid and encryption

Hi All, 

Im relatively new to this. Our company had a third party do a pentest on our External apps in a DMZ. We had one call out for cookie information disclosure, so we turned on cookie encryption. We had an additional jsessionid vuln so we went in and did the universal and set the time out for the prior cookie persist if we ended up making the change for the same app that had a vuln cookie(hope this make sense). My question is, by replacing the encrypted cookie persist profile with the new universal jsessionid which sets secure and http. does that negate the cookie encryption and now we are disclosing that info again, even though we are protecting the jsessionid? I see there is a way to have both by turning on cookie encryption via http profile. Really trying to understand. Thanks

3 Replies