Hi all,

According document at http://e-docs.bea.com/wls/docs81/sec...in_client.html
secure cookie _wl_authcookie_ turns on when https starts.
I have some quick questions regarding how it really works:

Q1. this secure cookie will definitely prevent session stealing in-transit (due to https).
However, will it prevent session hijaking using cross-site-scripting? ie., _wl_authcookie
can also still be obtained in clear-text by attacker even using https, and attacker use
https://....?jsessionid=..._wl_authcookie_=....
to hijack session?
Will it prevent session fixation as described in
www.acros.si/papers/session_fixation.pdf

Q2. Is _wl_authcookie_ is tied up with SSL session ID,
if yes, the answer to Q1 should be yes, right?

Q3. should _wl_authcookie_ value be a constant as long as https starts?
However, I observe _wl_authcookie_ changes per request for one web app. It provides extra protection at cost of performance. Is this a configurable feature?

Thanks