httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)

Question

By default, Glassfish v3 doesn\'t set the httpOnly flag on session cookies (when created as usual with request.getSession()).

I know, there is a method

Answer 1

This is supported via a Servlet 3.0 web.xml (see web-common_3_0.xsd):

<web-app>
  <session-config>
    <cookie-config>
      <!--             
        Specifies whether any session tracking cookies created 
        by this web application will be marked as HttpOnly
      -->
      <http-only>true</http-only>
    </cookie-config>
  </session-config>
</web-app>

Answer 2

You can also add <secure>true</secure> to boost the security.

<session-config>
    <cookie-config>
        <http-only>true</http-only> 
        <secure>true</secure>
    </cookie-config>
</session-config>