I'm working with a web application that uses Servlet API v2.5, running on Tomcat 6, and I need to send HttpOnly cookies to the client. I'm not talking about session cookies generated by the servlet container (which is covered excellently by this question), but custom cookies added to the response using response.addCookie()
.
The Cookie#setHttpOnly()
method does not exist in v2.5, so I have to build the HTTP header myself and add the HttpOnly
token. Is there an easy way to do this without rolling my own implementation of RFC 6265 from scratch?