3 Replies Latest reply on Jan 18, 2012 4:43 AM by Jean-Frederic Clere

    How to set HttpOnly for session cookie ?

    Shantanu Upadhyaya Newbie

      I have a JSF web app deployed on JBoss 4.2.3 . I'd like to add HttpOnly on the session cookie and it looks like there's no configuration available for this version.


      I wrote a servlet filter to add "HttpOnly" which I add only the Response contains SET-COOKIE . This DOESN'T work on JBoss .

      reponse.containsHeader("SET-COOKIE") always returns false. I'm using a middle man proxy server and I can see that Set-Cookie response header is indeed getting generated.

      Anyone to throw light on this ?


      The filter works fine on Tomcat 6.x .