0 Replies Latest reply on Sep 17, 2014 12:51 PM by Reddy Gujja

    HttpOnly attribute to be added to JSESSIONID

    Reddy Gujja Newbie

      I am trying to add “HttpOnly” and “Secure” attribute to the JSESSIONID cookie. I made following changes to the context.xml as per suggestion posted at https://developer.jboss.org/message/598558#598558. Also I found https://www.sparkred.com/blog/how-to-fix-httponly-vulnerability-in-oracle-atg-commerce-applications/ solution helpful. But I am still not seeing "HttpOnly" attribute added to JSESSIONID cookie, "Secure" works fine? Ideas?

      Here is some information about my environment

      JBoss Version: jboss-eap-5.1

      Application ATG: 10.2

      Browser: Firefox (24.5), Chrome (37)

      context.xml (JBOSS_HOME/jboss-as/server/<server-instance>/deploy/jbossweb.sar

      <Context cookies="true" crossContext="true" allowLinking="true">

          <SessionCookie secure="true" httpOnly="true"/>



      No other context.xml exists in any of the .WAR directories.