2 Replies Latest reply: Feb 23, 2012 6:23 AM by Alastair Rodgers RSS

How to set HttpOnly and Secure flag in cookies - JBoss 5.1.0

Mike Wigge Newbie



I have to set the HttpOnly and the Secure flag in cookies.


There are some manuals how to set HttpOnly:

"In Tomcat 6 flag useHttpOnly=True in context.xml to force this behaviour for applications, including Tomcat-based frameworks like JBoss."

The context.xml can be found in jboss/server/<myserver>/deploy/jbossweb.sar/context.xml


Now it looks like this:

<!-- The contents of this file will be loaded for each web application -->
<Context cookies="true" crossContext="true" useHttpOnly="true">
   <!-- Session persistence is disable by default. To enable for all web
   apps set the pathname to a non-empty value:
   <Manager pathname="SESSIONS.ser" />


   To enable session persistence for a single web app, add a
   <Manager pathname="" />


   <!-- Install an InstanceListener to handle the establishment of the run-as
   role for servlet init/destroy events.



Regrettably, it doesn't work.


I wasn't able to find a manual how to set the Secure flag, either.


Can anyone help me?


Thanks in advance.