5 Replies Latest reply on Dec 12, 2016 9:22 AM by naresh1

    Add HttpOnly and Secure attributes to JSESSIONID cookie




      We are using JBoss 4.3 CP 09 server for our applications. SSL is not provided by the server but by an external component. I would like the 'HttpOnly' and 'secure' attributes to be added to the JSESSION ID cookie generated by one application. For this server version, the only way that I seem to find is to use a Servlet Filter and add the JSESSIONID as below.


      public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {

              final HttpServletResponse response = (HttpServletResponse) res;

              final HttpServletRequest request = (HttpServletRequest) req;

              if (response.containsHeader("SET-COOKIE")) {  // *******

                  response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()

                          + "; HttpOnly" + (request.isSecure() ? SECURE_FLAG : ""));


              filterChain.doFilter(req, res);



      Is there a better approach than doing it this way? I would prefer to let the server handle the cookie.


      Also response.containsHeader("SET-COOKIE") always seem to return false.


      Please provide your suggestions.




      Kalyan Matha