问题
How to configure JBoss 5.1.* to make session cookie HttpOnly?
<Context useHttpOnly="true">
Doesn't work.
回答1:
Have you tried
<SessionCookie secure="true" httpOnly="true" />
as explained here.
回答2:
I'm using JBoss [EAP] 5.0.1 and adding
<SessionCookie secure="true" httpOnly="true" />
in <myJBossServerInstancePath>/deploy/jbossweb.sar/context.xml
<Context cookies="true" crossContext="true">
<SessionCookie secure="true" httpOnly="true" />
...
works perfectly (thanks Luciano).
回答3:
Add
<SessionCookie secure="true" httpOnly="true" />
In $JBOSS_HOME/deploy/jbossweb.sar/context.xml
<Context cookies="true" crossContext="true">
<SessionCookie secure="true" httpOnly="true" />
Make sure HTTPS/SSL configured in the server to work.
来源:https://stackoverflow.com/questions/10457204/jboss-5-httponly-session-cookies