I am trying to add “HttpOnly” and “Secure” attribute to the JSESSIONID cookie. I made following changes to the context.xml as per suggestion posted at https://developer.jboss.org/message/598558#598558. Also I found https://www.sparkred.com/blog/how-to-fix-httponly-vulnerability-in-oracle-atg-commerce-applications/ solution helpful. But I am still not seeing "HttpOnly" attribute added to JSESSIONID cookie, "Secure" works fine? Ideas?
Here is some information about my environment
JBoss Version: jboss-eap-5.1
Application ATG: 10.2
Browser: Firefox (24.5), Chrome (37)
context.xml (JBOSS_HOME/jboss-as/server/<server-instance>/deploy/jbossweb.sar
<Context cookies="true" crossContext="true" allowLinking="true">
<SessionCookie secure="true" httpOnly="true"/>
</Context>
No other context.xml exists in any of the .WAR directories.