1

I'm developing in PeopleSoft and the you access the PIA portal through a URL such as https://mywebserver.com/psp/ps/EMPLOYEE/CRM/?cmd=login. However, at some integration points, it will go through the non-portal URL https://mywebserver.com/psc/ps/EMPLOYEE/CRM/?cmd=login. Notice how both are at the root level.

If I set cookie-path=/psp then the URL through /psc won't work correctly and vice versa.

For a clean PEN test, is there a way Weblogic can be set up to allow multiple values for a cookie path? I'm trying to achieve something like this in the weblogic.xml:

<session-descriptor>
  <cookie-path>/psc;/psp</cookie-path>
</session-descriptor>
Jliu
  • 21
  • 1
  • 3
  • The cookie-path attribute only supports a single path according to the documentation. What would be the argument against using just "/"? – b0tting May 22 '18 at 06:53
  • The PEN test report flagged a path of / as a security risk. – Jliu May 22 '18 at 16:52

1 Answers1

0

I don't think you can out of the box.

The best way to solve this would be to write the set-cookie directive directly in a servlet.

A hack that might work: assuming you set the cookie path of PeopleSoft to "/psp" and a user approaches the domain over the /psc path WebLogic should return a faulty "set-cookie" with the /psp path. You could catch that in your webserver and rewrite the header to /psc. In Apache this would be something like "Header edit Set-Cookie ^(.*)/psp(.*)$ $1/psc$2" in the context of the /psc .

b0tting
  • 577
  • 2
  • 7
  • That is an interesting approach, will take some regression effort though. I appreciate the tip! – Jliu May 24 '18 at 13:41