I saw on the thread How do you configure HttpOnly cookies in tomcat / java webapps? that Tomcat 5.5.(>28) is supposed to support vendor specific useHttpOnly
attribute specified in <Context>
elements.
I added this attribute to ALL contexts configured in my server.xml.
However, only the JSESSIONID
was appended with "; httpOnly"
flag. All other cookies are exactly like there were before I added useHttpOnly="true"
.
Set-Cookie=
JSESSIONID=25E8F...; Path=/custompath; HttpOnly
mycustomcookie1=xxxxxxx; Path=/
mycustomcookie2=1351101062602; Path=/
mycustomcookie3=0; Path=/
mycustomcookie4=1; Path=/; Secure
mycustomcookie5=4000; Expires=Sat, 22-Oct-2022 17:51:02 GMT; Path=/
Is there anything else I need to change?
(upgrading to tomcat 6 or 7 is not an option for now. Our system uses a third party framework based on tomcat 5.5)