3 Replies Latest reply on Apr 7, 2011 11:40 AM by gigi2

    set session cookie secure and httpOnly?


      Hello, JBoss gurus,


      We use JBoss 5.0.1 GA for web applications. I'm wondering what I can do to set session cookies going out to be secure and httpOnly. As a newbie in JBoss, I'd truly appreciate any helps/hints you may have.



        • 1. set session cookie secure and httpOnly?

          I tried to add a context.xml file that looks like


          <Context cookies="true" crossContext="false">

             <Manager pathname="" />


             <SessionCookie secure="true" useHttpOnly="true" >



          it does not work either. I've also tried


          <SessionCookie secure="true" httpOnly="true" >


          Neither did that work. Can anyone please give some helps? Thanks a lot in advance

          • 2. set session cookie secure and httpOnly?

            Can someone please shed some light onto this? So desparate here :-(

            • 3. set session cookie secure and httpOnly?

              Ahh! I finally got it work by adding the following line to context.xml file


                 <SessionCookie secure="true" httpOnly="true" />


              Somehow it was not deployed at the beginning


              I basically copied JBoss's standard context.xml over and added that line. As I'm not very familiar with setting up context.xml, I have a 1 minor question:


              the default of crossContext is set to true in JBoss's standard context.xml, is there a reason for that?


              Thanks a lot for your helping out there