Tomcat 7 - JSESSIONID cookie is not accessible from JavaScript code

Question

Does anyone know what changed in the configuration between Tomcat 6 and Tomcat 7 that would cause the JSESSIONID cookie to not be accessible via JavaScript?

Answer 1

Okay, I found the answer. The useHttpOnly attribute was set to false by default in Tomcat 6, and is true in Tomcat 7. This attribute is set for the container.

For more information about updating from Tomcat 6 to 7: Migrating from 6.0.x to 7.0.x

I'm not sure why I didn't see that in the docs before, but I've verified that setting this to false does in fact cause Tomcat 7 to revert to the Tomcat 6 behavior.