I am trying to add “HttpOnly” and “Secure” attribute to the JSESSIONID cookie. I made following changes to the context.xml as per suggestion posted at https://developer.jboss.org/message/598558#598558. Also I found https://www.sparkred.com/blog/how-to-fix-httponly-vulnerability-in-oracle-atg-commerce-applications/ solution helpful. But I am still not seeing "HttpOnly" attribute added to JSESSIONID cookie, "Secure" works fine? Ideas?

Here is some information about my environment

JBoss Version: jboss-eap-5.1

Application ATG: 10.2

Browser: Firefox (24.5), Chrome (37)

context.xml (JBOSS_HOME/jboss-as/server/<server-instance>/deploy/jbossweb.sar

<Context cookies="true" crossContext="true" allowLinking="true">

    <SessionCookie secure="true" httpOnly="true"/>

</Context>

No other context.xml exists in any of the .WAR directories.