Identity Provider sets the cookie Secure flag by default. In some cases, the cookie Secure flag is not set because of which the cookie can be transmitted over an insecure connection. This leads to a risk where others can access the cookie information. This scenario occurs when Tomcat automatically sets the JSESSIONID cookie multiple times.
To mitigate the risk, you must configure the cookie Secure flag. Configuring the Secure flag ensures that the cookie is transmitted over a secure HTTPS connection.
Navigate to /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml and add the following entry:
<session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>