How to enable httpOnly flag for the JSessionIDSSO cookie in EAP

Solution Verified - Updated -


  • We would like to enable the HttpOnly cookie flag for JSessionID cookies generated by JBoss. We have noticed that this can be accomplished by updating the context.xml file located under JBossServerHome/deploy/jbossweb.sar and adding a new child SessionCookie element under the existing Context element and setting the httpOnly attribute to true. This appears to work for the standard JSessionID cookie, however, JBoss can also generate a JSessionIdSSO cookie which does not seem to be affected by the httpOnly setting specified in context.xml. Can the httpOnly flag also be enabled for the JSessionIDSSO cookie?


  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 5.x
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In