2 Replies Latest reply: Feb 23, 2012 6:23 AM by Alastair Rodgers RSS

    How to set HttpOnly and Secure flag in cookies - JBoss 5.1.0

    Mike Wigge Newbie

      Hello!

       

      I have to set the HttpOnly and the Secure flag in cookies.

       

      There are some manuals how to set HttpOnly:

      "In Tomcat 6 flag useHttpOnly=True in context.xml to force this behaviour for applications, including Tomcat-based frameworks like JBoss."

      The context.xml can be found in jboss/server/<myserver>/deploy/jbossweb.sar/context.xml

       

      Now it looks like this:

      <!-- The contents of this file will be loaded for each web application -->
      <Context cookies="true" crossContext="true" useHttpOnly="true">
         <!-- Session persistence is disable by default. To enable for all web
         apps set the pathname to a non-empty value:
         <Manager pathname="SESSIONS.ser" />

       

         To enable session persistence for a single web app, add a
         WEB-INF/context.xml
         -->
         <Manager pathname="" />

       

         <!-- Install an InstanceListener to handle the establishment of the run-as
         role for servlet init/destroy events.
         -->
         <InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>

      </Context>

       

      Regrettably, it doesn't work.

       

      I wasn't able to find a manual how to set the Secure flag, either.

       

      Can anyone help me?

       

      Thanks in advance.