2 Replies Latest reply: Feb 23, 2012 6:23 AM by Alastair Rodgers RSS

    How to set HttpOnly and Secure flag in cookies - JBoss 5.1.0

    Mike Wigge Newbie



      I have to set the HttpOnly and the Secure flag in cookies.


      There are some manuals how to set HttpOnly:

      "In Tomcat 6 flag useHttpOnly=True in context.xml to force this behaviour for applications, including Tomcat-based frameworks like JBoss."

      The context.xml can be found in jboss/server/<myserver>/deploy/jbossweb.sar/context.xml


      Now it looks like this:

      <!-- The contents of this file will be loaded for each web application -->
      <Context cookies="true" crossContext="true" useHttpOnly="true">
         <!-- Session persistence is disable by default. To enable for all web
         apps set the pathname to a non-empty value:
         <Manager pathname="SESSIONS.ser" />


         To enable session persistence for a single web app, add a
         <Manager pathname="" />


         <!-- Install an InstanceListener to handle the establishment of the run-as
         role for servlet init/destroy events.



      Regrettably, it doesn't work.


      I wasn't able to find a manual how to set the Secure flag, either.


      Can anyone help me?


      Thanks in advance.