I'm developing in PeopleSoft and the you access the PIA portal through a URL such as https://mywebserver.com/psp/ps/EMPLOYEE/CRM/?cmd=login. However, at some integration points, it will go through the non-portal URL https://mywebserver.com/psc/ps/EMPLOYEE/CRM/?cmd=login. Notice how both are at the root level.
If I set cookie-path=/psp then the URL through /psc won't work correctly and vice versa.
For a clean PEN test, is there a way Weblogic can be set up to allow multiple values for a cookie path? I'm trying to achieve something like this in the weblogic.xml:
<session-descriptor>
<cookie-path>/psc;/psp</cookie-path>
</session-descriptor>
I don't think you can out of the box.
The best way to solve this would be to write the set-cookie directive directly in a servlet.
A hack that might work: assuming you set the cookie path of PeopleSoft to "/psp" and a user approaches the domain over the /psc path WebLogic should return a faulty "set-cookie" with the /psp path. You could catch that in your webserver and rewrite the header to /psc. In Apache this would be something like "Header edit Set-Cookie ^(.*)/psp(.*)$ $1/psc$2" in the context of the /psc .