In Servlet 3.0 complaint application servers I can set the HttpOnly and secure flags for the session cookie (JSESSIONID) by adding the following to the web.xml:
<session-config>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
</cookie-config>
</session-config>
However, the application I'm working on is to be deployed in Websphere 7, which is Servlet 2.5 complaint and it fails to start if I add the above to the web.xml
Is there any other declarative way or setting in Websphere 7 configuration to turn on the HttpOnly and secure flags for the session cookie?
If not, what would be the best approach to accomplish that programmatically?
Best Answer
I think in WebSphere 7 you may have to delve into the administrative console. As ever the WebSphere documentation seems poor but seems to suggest setting the com.ibm.ws.security.addHttpOnlyAttributeToCookies property:
I found this, which I hope is applicable to WAS7. Can you try please (I only have WAS 8 at the moment on my system):
The com.ibm.ws.webcontainer.httpOnlyCookies property is documented on the WAS 7 help site.