Jboss 5. HttpOnly session cookies

Question

How to configure JBoss 5.1.* to make session cookie HttpOnly?

<Context useHttpOnly="true">

Doesn't work.

Answer 1

Have you tried

<SessionCookie secure="true" httpOnly="true" />

as explained here .

Answer 2

I'm using JBoss [EAP] 5.0.1 and adding

<SessionCookie secure="true" httpOnly="true" />

in <myJBossServerInstancePath>/deploy/jbossweb.sar/context.xml

<Context cookies="true" crossContext="true">
    <SessionCookie secure="true" httpOnly="true" />
    ...

works perfectly (thanks Luciano).

Answer 3

Add

<SessionCookie secure="true" httpOnly="true" />

In $JBOSS_HOME/deploy/jbossweb.sar/context.xml

<Context cookies="true" crossContext="true">
   <SessionCookie secure="true" httpOnly="true" />

Make sure HTTPS/SSL configured in the server to work.