An attacker can spoof a non-secure browser and send a JSESSION cookie that contains a valid user session. You can prevent this by configuring Identity Server to use a SSL channel for communications.
In this Section
Configuring a SSL Channel between Identity Server and LDAP Servers
Enabling SSL between Browsers and Identity Server
Enabling SSL between Identity Server and a Service Provider