is HTTP only attribute setting missing in jboss7?

Question

I used the following steps with JBOSS5 and 6, but these are not applicable to JBOSS 7:

  - change server/CONFIG/deploy/jbossweb.sar/context.xml
  - add <SessionCookie httpOnly="true" secure="true">

As I found solution for jboss7, Add the http-only tag to session config in web.xml

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

So As I understand it is about configuration of application level web.xml So how can we do settings of cookie protection for the whole JBOSS instance? it was a good idea to allow global configuration of session cookie in JBOSS56, is this feature missing in JBOSS7? This question may repeat in StackOverflow. but I could not get proper clarity in those answers.

Nope, I dont think there is a way to do this in JBoss 7. – Mukul Goel Nov 28 '12 at 12:04 — Mukul Goel, Nov 28 '12 at 12:04

score 2 · Answer 1 · answered Dec 16 '12 at 23:31

no need to configure this as part of some propertary config file. This configuration is now part of servlet spec, which means it can be configured as part of web.xml

      <session-config>
        <cookie-config>
           <http-only>true</http-only>
        </cookie-config>
      </session-config>

just make sure you use 3.0 xsd version of web.xml

is HTTP only attribute setting missing in jboss7?

1 Answers1