I used the following steps with JBOSS5 and 6, but these are not applicable to JBOSS 7:
- change server/CONFIG/deploy/jbossweb.sar/context.xml
- add <SessionCookie httpOnly="true" secure="true">
As I found solution for jboss7, Add the http-only tag to session config in web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
So As I understand it is about configuration of application level web.xml So how can we do settings of cookie protection for the whole JBOSS instance? it was a good idea to allow global configuration of session cookie in JBOSS56, is this feature missing in JBOSS7? This question may repeat in StackOverflow. but I could not get proper clarity in those answers.