Setting httponly in JSESSIONID cookie (Java EE 5)

Question

I\'m trying to set the httponly flag on the JSESSIONID cookie. I\'m working in Java EE 5, however, and can\'t use setHttpOnly(). First I tried to create my ow

Answer 1

You can use this with Java EE 5:

For Java Enterprise Edition versions prior to Java EE 6 a common workaround is to overwrite the SET-COOKIE http response header with a session cookie value that explicitly appends the HttpOnly flag:

String sessionid = request.getSession().getId();
// be careful overwriting: JSESSIONID may have been set with other flags
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

Source : https://www.owasp.org/index.php/HttpOnly

I test it into a filter

Answer 2

Since the JSESSIONID cookie is managed by the servletcontainer, this setting is servletcontainer specific. It's unclear which one you're using, so here's an Apache Tomcat 6.0 targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set the useHttpOnly attribute of the webapplication's <Context> element to true.

<Context useHttpOnly="true">
    ...
</Context>

Also see this Tomcat documentation about the <Context> element.