0 Replies Latest reply on Feb 26, 2013 2:33 AM by nimo stephan

    Richfaces, servlet 3 HttpSession and http-only-cookie

    nimo stephan Master

      I want to use httpOnly SessionCookie in JSF 2, Servlet 3.0 environment:

       

      {code}

      <session-config>

              <cookie-config>

                 <http-only>true</http-only>

              </cookie-config>

            </session-config>

      {code}

       

      My question is:

       

      Does Richfaces (or in general, any jsf-library) makes use of httpsession via Javascript (for example, Richfaces makes use of Athmosphere lib in a4j:push) ?

       

      If so, I cannot use <http-only>true</http-only>, because this would prevent the access from the session cookie by any javascript (library).