- We would like to enable the HttpOnly cookie flag for JSessionID cookies generated by JBoss. We have noticed that this can be accomplished by updating the context.xml file located under JBossServerHome/deploy/jbossweb.sar and adding a new child SessionCookie element under the existing Context element and setting the httpOnly attribute to true. This appears to work for the standard JSessionID cookie, however, JBoss can also generate a JSessionIdSSO cookie which does not seem to be affected by the httpOnly setting specified in context.xml. Can the httpOnly flag also be enabled for the JSessionIDSSO cookie?
- Red Hat JBoss Enterprise Application Platform (EAP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.