We're running grails 2.0 + jetty 7.6.6 and need to set JSESSIONID cookie to be httpOnly. All of the answers on stackoverflow seem to refer to either Servlet 3.0 (which requires jetty 8) or to tomcat. Can anyone provide me with a clear way of setting the JSESSIONID cookie be httpOnly for jetty 7.x?
I have tried adding jetty-web.xml file with the following contents, but it still didn't work (i.e. the JSESSIONID wasn't marked as httpOnly):
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="httpOnly" type="boolean">true</Set>
</Get>
</Get>
</Configure>
Tomato
All I had to do is to put the jetty-web.xml in the right folder. Initially I was putting into jetty/etc folder, but instead it should have been in the WEB-INF directory.
来源:https://stackoverflow.com/questions/12968217/making-jsessionid-cookie-be-httponly-in-jetty-7