3 Replies Latest reply: Jan 18, 2012 4:43 AM by Jean-Frederic Clere RSS

How to set HttpOnly for session cookie ?

Shantanu Upadhyaya Newbie

I have a JSF web app deployed on JBoss 4.2.3 . I'd like to add HttpOnly on the session cookie and it looks like there's no configuration available for this version.

 

I wrote a servlet filter to add "HttpOnly" which I add only the Response contains SET-COOKIE . This DOESN'T work on JBoss .

reponse.containsHeader("SET-COOKIE") always returns false. I'm using a middle man proxy server and I can see that Set-Cookie response header is indeed getting generated.

Anyone to throw light on this ?

 

The filter works fine on Tomcat 6.x .