How to setup session cookie to be httpOnly and secure in JBOSS 7?

pavelz Dec 1, 2011 11:14 PM

I used the following steps with JBOSS5 and 6, but these are not applicable to JBOSS 7:

- change server/CONFIG/deploy/jbossweb.sar/context.xml

- add <SessionCookie httpOnly="true" secure="true">

Thanks

-pavel-

1. Re: How to setup session cookie to be httpOnly and secure in JBOSS 7?

guinotphil Dec 2, 2011 8:33 AM (in response to pavelz)

I'm not reallysure, but can you try to add this on your web.xml

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>
Actions
2. Re: How to setup session cookie to be httpOnly and secure in JBOSS 7?

pavelz Dec 3, 2011 6:16 AM (in response to guinotphil)

Thank you Guinot,

it works with 3.0 version of web.xml.

I had to update all my wars/ears depending on the environment, comparing to a single configuration change that was required with JBOSS 5,6. The settings of cookie protection are the same for the whole JBOSS instance, it was a good idea to allow global configuration of session cookie in JBOSS5,6, this feature is most likely missing in JBOSS7.
Actions