set 'secure' flag to JSESSION id cookie

Question

I want to set \'secure\' flag to JSESSIONID cookie . Is there a configuration in tomcat 6 for this ?

I tried by setting \'secure=\"true\"\' in \'Connector\' (8080) e

Answer 1

If you are using tomcat 6 you can do the following workaround

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure ; HttpOnly");

see https://www.owasp.org/index.php/HttpOnly for more information