Hi

We are using jboss 6.1.0 in our product. In security scan, we have seen that JSESSIONIDSSO cookie created by server is not having secure and httponly flag.

Please see attached screenshot. Actually we are trying to set all cookies's secure and httponly flag to true  in valve. But what we can see after valve execution is completed and response comes to browser, we can see one more JSESSIONIDSSO in the response having httponly and secure flag false.

We try lot of ways like

1. adding below entry in the server.xml:

<Valve className="org.apache.catalina.authenticator.SingleSignOn" cookieHttpOnly="true" />

2. Extending SingleSignOn class and in the invoke method, marking cookies secure and httponly flag to true

3. Moving our valve entry before SingleSignOn valve entry.

Can anyone help on this?