Invalid HttpOnly flag

Question

I set the flag HttpOnlyin the response header Set-Cookieas follows

String sessionid = httpReq.getSession().getId();
httpRes.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";HttpOnly");

But I can still access the cookie via document.cookiein the browser console. Is my way wrong setting this flag?

+3

tiger Feb 11 '14 at 8:11

1 answer

cosjav · Answer 1 · 2014-02-19T02:17:31+0000

If you are using a servlet version 3 or higher, you can specify this in your web.xml, as shown below:

  <session-config>
    <cookie-config>
      <http-only>true</http-only>
    </cookie-config>
  </session-config>

For more details, see the description of the scheme and configuration parameters: http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-common_3_0.xsd