Configuring HttpOnly Flag for Cookies in Windchill
In a Windchill installation, the HttpOnly flag is configured by default to mitigate any security risk to the cookies. The HttpOnly is a flag under the Set-Cookie HTTP response header. As a security best practice, cookies must be secured. The out-of-the-box setting for the HttpOnly flag protects cookies by mitigating the security risk of client-side access to cookies and ensuring that cookies are only accessible from the server side for all Windchill web content.
To Verify that the HttpOnly Flag is Configured
1. Login to the Windchill application.
2. Open a web browser and go to Developer Tools in the browser.
3. On the Network tab, click View.
4. Confirm that the response for a successful authentication request for Set-Cookie under Response Headers contains the HttpOnly flag.
| If you are using form-based authentication for Arbortext to connect to Windchill server, then the HttpOnly flag must be set to false. Refer to the section below to set the HttpOnly flag to false. |
To Turn Off the HttpOnly Flag after Windchill Installation
1. Stop Windchill and the PTC HTTPServer.
2. Open the <webAppName>.xml file from $WT_HOME/tomcat location, where <webAppName> is the file name used during installing Windchill.
| Back up the <webAppName>.xml file before changing the configuration. |
3. Under the target name installWebApp, set the value of the property useHttpOnly to false as follows: <property name="useHttpOnly" value="false"/>
4. Open the Windchill.xml file from location $WT_ HOME/tomcat/conf/Catalina/localhost
Set the value of useHttpOnly flag for the Context path to false as follows: <Context path="/Windchill" docBase=<WT_Home>/codebase" reloadable="false" useHttpOnly=false">
5. Start Windchill and the PTC HTTPServer.
