5 Replies Latest reply on Dec 12, 2016 9:22 AM by Naresh Kallamadi

    Add HttpOnly and Secure attributes to JSESSIONID cookie

    Kalyan M Newbie



      We are using JBoss 4.3 CP 09 server for our applications. SSL is not provided by the server but by an external component. I would like the 'HttpOnly' and 'secure' attributes to be added to the JSESSION ID cookie generated by one application. For this server version, the only way that I seem to find is to use a Servlet Filter and add the JSESSIONID as below.


      public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {

              final HttpServletResponse response = (HttpServletResponse) res;

              final HttpServletRequest request = (HttpServletRequest) req;

              if (response.containsHeader("SET-COOKIE")) {  // *******

                  response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()

                          + "; HttpOnly" + (request.isSecure() ? SECURE_FLAG : ""));


              filterChain.doFilter(req, res);



      Is there a better approach than doing it this way? I would prefer to let the server handle the cookie.


      Also response.containsHeader("SET-COOKIE") always seem to return false.


      Please provide your suggestions.




      Kalyan Matha