- Session stealing happens when data is transferred over netwok as clear-text. It can be prevent by setting authentication on server
- Set AuthCookieEnable="true" in the WebServer element in config.xml of WebLogic Server
- When AuthCookieEnabled is set to true, while authenticating using HTTPS, the server sends a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID
- When session id uses default JSESSIONID, it can be stolen because it is not in encrypted format, but _WL_AUTHCOOKIE_JESSIONID is in encrypted format over HTTPS
Setting AuthCookieEnabled in config.xml
Note: By default, AuthCookieEnabled is set to true
Cheng® 